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Java SE 6 Satisfies 
The Early Adopters 



BY ALEX HANDY 

Java releases used to be like the 
murderer in an Agatha Christie 
novel: occasionally appearing 
behind the fence or in the attic, 
but largely hidden until the end. 
Sun Microsystems' December 
release of Java SE 6, however, was 



preceded by a year of public betas and handsome GUI applications. 



that arrived with much more fre- 
quency than in previous versions. 
Now, a month after the final ver- 
sion of the environment arrived, 
some adventurous early adopters 
are already crowing about better 
performance, easier debugging 



'This feels very sturdy, and since 
it was a more conservative update 
than Java 5, it probably is more 
sturdy.' 

—Barry Burd, mathematics and 
computer science professor at Drew University 



Hani Suleiman, CTO of 
Formicary, a financial consulting 
and integrations firm and a 
member of the Java Community 
Process, has been following the 
evolution of Java SE 6 closely. 
Even before the final release of 
the new version, Suleiman saw 
major improvements in the ways 
Sun prepared for the release. 

"Gone are the days where we 
had to wait months for a beta 
drop," said Suleiman. "From very 
early on in die process, anyone 
could have grabbed the latest 
continued on page 30 ► 




Nicholas Kassem led a team of Sun 
engineers to Redmond to work on 
interoperability with Microsoft. 



Veracode Understands What's At Stake 

Security analysis tool searches 
for vulnerabilities in executables 
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BY ALEX HANDY 

Old hackers never die, they just 
build new startups. Such is the 
fate of Boston hacker collective, 
LOpht, the remnants of which 
formed a new company, Vera- 
code, last March. That company's 
first product, also named Vera- 
code, is an on-demand binary 
security scanning tool designed 
to help developers ferret out 
potentially exploitable vulnera- 
bilities before they can be dis- 
covered by nefarious coders in 
the wild. 

Veracode began life as a pro- 
ject of AtStake, the professional 
consulting firm that evolved out 



of the LOpht. That hacker col- 
lective is best known for its 
LOphtCrack tool, a Windows 
password cracking program that 
is still used today by the Nation- 
al Security Agency and other 
U.S. government agencies. 
Chris Wysopal, Veracode s CTO, 
and Christien Rioux, Veracode 's 
chief scientist, both began work- 
ing on the Veracode analysis tool 
in 2002, after forming AtStake, 
which was purchased by Syman- 
tec in 2004. 

Now, after five years of 

development, the Veracode tool 

will surface lor the first time at 

continued on page 29 ► 




After uploading a binary to Veracode.com, users can track vulnerabilities and 
bugs found, then move them into their own bug-tracking databases. 



Sun Shines 
OnWS- 
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Integration 

BY ALEX HANDY 

Chutzpah was the word most used 
to describe Sun Microsystems' 
Redmond emissaries. When eight 
of Sun's enterprise Java engineers 
flew up to Washington state to col- 
laborate with Microsoft's engi- 
neers, many industry watchers 
trotted out that venerable Yiddish 
word, which, loosely translated, 
means gall. 

But as these two teams worked 
together to bring about some calm 
in the turbulent seas of Web ser- 
vices, diey found that engineering 
knows no prejudice. The result, 
three years later, is Sun's Web Ser- 
vices Integration Technology, and 
Microsoft has called it the best 
implementation of the WS-" stan- 
dards outside of its own. 

In 2004, Nicholas Kassem, 
Sun's technology director for the 
enterprise Java platform, was giv- 
en the task of understanding 
Microsoft's new Web services 
specifications. 

"Going back to about 2004 
when we kicked off this effort, the 
real intent was to provide first- 
class interoperability between the 
Java platform of our products and 
[what became] the [Windows] 
Vista environment," said Kassem. 

When Kassem arrived in Red- 
mond, the Web services specifi- 
cations being worked on therein 
were still behind closed doors. 
Kassem said that a major part of 
his job was to advocate the open- 
continued on page 20 ► 
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UNDETECTED DEFECTS 
LURKING IN YOUR CODE 
CAN PROVE DISASTROUS 
FOR YOUR BUSINESS. 



Hidden bugs in your valuabfe source coda can have serious consequences for 



your software— countless patches, drops in customer satisfaction, product recalls 



or worse. You need to know all your code is clean, Co verity offers advanced 



source code analysis products for the detection of hazardous defects and security 



vulnerabilities. Catastrophic errors are identified immediately as code is written. 



assuring the highest possible code qualiEy — no matter how complex your code base. 



Tnis aJFows your developers to spend less time searching tor bugg end more time 




, 



adding value to your producl. FREE TRIAL; Let us show you what evil lurks in 



your code, Go to www5.coverity.com to request a free trial that will scan your code 



and identify defects hidden in rt. 



(} coverity 

Your code is either coverity clean — or It's not. 



Innovations by InterSystems 




Teach old applications new tricks. 

Chances are you have users who want your applications to do new and wondrous things. 
So you've probably tried rewriting them, and know how difficult that can be. 

We have an easy way to enhance applications without rewriting - adding functionality 
and new user interfaces, and giving your applications the capability to work together as 
an ensemble. 

These impressive tricks are performed easily with Ensemble - a software innovation 
by InterSystems that enables you to extend your applications with a browser-based user 
interface, adaptable workflow, rules-based business processes, executive dashboards, and 
more. In addition, Ensemble gives you the ability to rapidly connect people and processes. 

We are InterSystems, a global software company with a 28 -year track record of 
innovations that enrich applications. 

InterSystems 



ENSEMBLE 



Read case studies about this exciting innovation at InterSystems.com/Enrich2JJ 

© 2007 InterSystems Corporation. All rights reserved, InterSystems Ensemble is a registered trademark of InterSystems Corporation. 1-07 EnsEn2SDTi 
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SOATest at Your (Quality of) Service 

Version 5.0 sports new metrics, granular XML message testing 



BY ALEX HANDY 

Parasofts SOA testing solution 
can now evaluate services for 
quality and speed. With version 
5.0 of SOATest released on Jan. 
29, the company has added 
more granular controls for the 
testing of XML messages as 
they pass through a network, as 
well as new facilities for evalu- 
ating the quality of service giv- 
en in a SOA environment. 

Parasofts vice president of 
strategy and corporate develop- 
ment, Wayne Ariola, said that 
SOATest can be used right from 
the start of a SOA project. Once 
a development team begins 
building code on top of busi- 
ness requirements, said Ariola, 
SOATest 5.0 can be used to 
build functional tests that eval- 
uate whether or not those 
requirements are met. 

"It allows the tests built ear- 
ly in the development cycle to 
allow the QA group to extend 
the end-to-end scenarios," said 
Ariola. 



New to version 5.0 of 
SOATest is the ability to 
monitor the quality of 
services being offered. 
According to Rami 
Jaamour, product man- 
ager of SOATest, the 
new edition includes a 
graphical tool for select- 
ing quality-of-service 
metrics, against which 
tests can be built. These 
include such variables as 
the number of failures 
and successes encoun- 
tered, or the time 
between submission and 
reception of a request. 
"Once you define these 
graphically, you can run 
your load and verify 
whether your applica- 
tion has satisfied these metrics 
or not," said Jaamour. 

Elsewhere in version 5.0, 
Parasoft has attempted to 
bridge the gap between func- 
tional and unit tests. 
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SOATest now offers a graphical interface for building quality-of-service tests. 



gies we're introducing allows 
you to have visibility into the 



different layers of an applica- 
tion," said Jaamour. "With the 
complexities we are seeing in 
SOA environments, it's becom- 
"One of the main technolo- ing more and more difficult to 



isolate problems unless you 
have something that bridges the 
functional side of things and the 
detailed code side of things." 

He went on to say, "We 
have an agent that can be 
dropped into a Java-based 



server that allows you to run 
the functional tests and at the 
same time trace the code exe- 
cution in the server." That exe- 
cution can be recorded and 
then imported into Eclipse, 
allowing developers to build 
newer, more specific JUnit 
tests that can help to narrow 
down the source of a problem, 
he explained. 

SOATest 5.0 costs US$4,000 
per seat. It runs under Linux, 
Solaris or Windows, and includes 
both a server-side monitoring 
system and a rich-client-based 
interface for creating tests. 

Ariola stated that future 
versions of the software will 
likely include the ability to 
bring coding policies defined 
in SOATest into an Eclipse- 
based IDE, thus forcing devel- 
opers to adhere to standards 
while coding. Currently, these 
SOATest design-time policies 
are enforceable only through 
the nightly test and build 
process. I 



Without DARPA Funds, Sun Opens Fortress 

Focus is now on creating a parallel Fortran replacement 



BY ALEX HANDY 

Sun Microsystems' Fortress is 
now open source. In early Janu- 
ary, this next-generation paral- 
lel programming language was 
made available in the form of 
an alpha release that includes 
an interpreter but not a compil- 
er. Future releases of Fortress 
will likely include the contribu- 
tions of interested developers, 
as Sun has spent a great deal of 
time making Fortress amenable 
to the addition of new libraries. 

Sun fellow Guy L. Steele Jr. 
said that Sun's initial goal of 
winning a phase-three DARPA 
contract for the development of 
Fortress has now been replaced 
with the goal of creating an 
open source, massively parallel 
Fortran replacement. When 
Sun found that it hadn't won 
the DARPA contract in Novem- 
ber of last year, Steele said that 
the company decided to contin- 
ue working on Fortress primar- 
ily because of its past successes 
with Java. 

Said Steele: "Fortran is an 
array-oriented language. For- 
tran historically supported up 




The Fortress team currently is working on building out the extensible 
infrastructure of the language, says Sun's Steele. 



to nine dimensional arrays, and 
as of 2003, it supported up to 15 
dimensions in an array." 
Fortress, said Steele, is built to 
accommodate an unlimited 
number of dimensions in an 



array, and is fenced in only by 
available memory. 

Fortress was developed as a 
response to DARPAs request for 
a secure programming language. 
As a result, Fortress was built on 



some of the same underpinnings 
as Java. "Like Java, and unlike 
Fortran or C++, you can't violate 
the basic data types of the lan- 
guage," said Steele. This means 
developers writing Fortress code 
can't create some of the more 
common exploitable holes that 
come from sloppy coding. 

While this initial release is 
only an alpha, and does not 
include a compiler, future releas- 
es will, said Steele. He added that 
the six members and one intern 
working full-time on Fortress 
have released a new specification 
for the language every two 
months. The team is also working 
on experimental code that shows 
off the abilities of Fortress. 

AIMING HIGH 

Currently, these experiments 
are benchmark-oriented, and 
include such examples as Gyro- 
kinetic Toroidal Code (GTC). 
Steele said that creating GTC 
in Fortress is an attempt to 
match the performance of simi- 
lar code written in Fortran, but 
with significant ease-of-use 
advances for the coder. GTC 



attempts to simulate the move- 
ment of particles inside of a 
plasma generator regulated by a 
doughnut-shaped electromag- 
netic field. 

Heavy stuff for a language 
that's not even compilable yet. 
But Steele and the Fortress 
team have been aiming high 
right from the start. Steele said 
that a considerable amount of 
time is currently being spent on 
allowing for the future addition 
of libraries. As such, much of 
the current work done by the 
Fortress team is focused on 
building out the extensible 
infrastructure of the language. 

And that infrastructure is 
likely to see a great deal of 
interest from the open source 
community, said Steele. In the 
week since Fortress' initial 
alpha release was made public, 
Steele claimed that the project's 
Web site saw 18,000 visitors. 

While none of those visitors 
will be compiling their Fortress 
code anytime soon, they are cer- 
tainly able to play around with 
the syntax and structure of the 
language. And a powerful new 
language is always good for busi- 
ness, said Steele. "Java was a 
good thing for Sun, not because 
Sun made money directly off of 
Java, but because it grew the 
entire market." I 
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COMPANIES 



Versant, which sells data management software, has become a 
sponsor at ODBMS.org, a not-for-profit group that publishes educa- 
tional materials on object database technologies. Robert Greene, 
Versant's VP of product strategy, has been appointed as an expert 
to the group's panel of contributors. 



NEW PRODUCTS, 



WIBU Systems USA has released its new CodeMeter software pro- 
tection hardware device. This software-access USB device, called the 
CM-Stick, is different from previous USB hardware encryption keys, 
or "dongles," because it can unlock multiple applications if the devel- 
opers using it so desire. The company hopes its new dongle will 
enable developers to use a single device with multiple applications, 
rather than a separate stick for each program. The hardware comes 
with 128KB of secure memory. WIBU devices are available on a per- 
device basis, and require no royalties. Future versions of CodeMeter 
will include the hardware device as a PCMCIA card and as a PCI 
Express Card. 



UPDATES 



Legacy software modernization company Seagull Software has 
released version 4.1 of its BlueZone Access Server, which pro- 
vides HTML and thin-client terminal emulation for IBM main- 
frames. New to this release are wizards for HTML page editing and 
quick configuration, a new HTML emulation client and an HTML 
style sheet for the HTML client for easy customization . . . Spread- 
sheetGear has made available SpreadsheetGear for .NET 2006 
2.5, a royalty-free Microsoft Excel-compatible spreadsheet com- 
ponent. The new release supports cell comments, data validation, 
pictures, text boxes, form controls and autoshapes, according to 
the company . . . SmartDraw 2007 (release 8.1), the business 
graphics design tool updated in January, offers more complex 
graphical effects, such as color transparency for use in venn dia- 
grams; support for Tablet PCs; and automatic connection comple- 
tion when elements are deleted from a diagram . . . Pegasystems 
has released version 5.2 of its SmartBPM Suite with new Adobe 
Flex-based visualization to help users improve the performance of 
their business processes with the use of rich graphics. SOA inte- 
gration testing and accessibility also are among the more than 60 
new features the company says it has built into this release 
. . . .NET software component provider Codejock Software has 
updated its Xtreme ToolkitPro and Xtreme SuitePro, with an 
Office 2007-style RibbonBar, RibbonBar screen tips, CommandBar 
and Windows Vista-style skins among the new features. It also 
boasts a new syntax edit control based on the Visual Studio .NET 
syntax editor. 



PEOPLE, 



JJ||^L David Worthington has joined the staff of SD Times as 
^^^^B an associate editor. Worthington has covered the tech- 
3 ■* ** nology industry for more than six years, and has writ- 
ten for Ziff Davis' eWeek and BetaNews.com. He holds 
a B.B.A. from Temple University . . . Rich Internet 
^ application technology pioneer ActiveGrid has named 

worthington Christopher Keene chairman and CEO. Keene in 1991 
founded data management company Persistence Software, which 
was sold in 2004 to Progress Software. ActiveGrid founder Peter 
Yared will continue as CTO . . . Roger Sullivan, VP of Oracle Identi- 
ty Management, has been elected president of the Liberty Alliance 
Management board. Sullivan served as VP for the past two years. 
Jason Rouault, CTO of Identity Management at HP, has been elect- 
ed the new VP . . . db4objects, creator of the open-source object 
database db4o, has named German Viscuso as global community 
host. Viscuso will act as liaison between the company and the open- 
source community for the db4o project, which now has more than 
18,000 registered users from 120 countries. I 



Java Data Mining 2.0 API 
Heads Toward Finalization 

Spec overhaul adds transformations, simplifies models 



BY ALEX HANDY 

In the end, it's all just data. 
When JSR 73 was completed 
back in 2000, it was the first 
time Java developers had a 
clear path to spelunking 
through their databases with- 
out digressing into another 
language or platform-specific 
API. Now, seven years later, 
the Java Data Mining specifi- 
cation is closer than ever to 
receiving a complete overhaul. 
JSR 247, the Data Mining 2.0 
API, is on the last leg of its 
journey through the Java 
Community Process, and 
could be finalized before the 
end of 2007. 

Mark Hornick, senior man- 
ager in the Oracle data mining 
technologies group and speci- 
fication lead for JSR 73, began 
work in 2004 as the specifica- 
tion lead on JSR 247. Since 
that time, the new API has 
passed its public review ballot 
and began heading toward its 
final draft. 

"Java developers prefer to 
write Java and not to map to 
other languages. We provided 
explicit object representation in 
JDM 1.0. Developers no longer 
needed to reinvent the map- 
ping of various data compo- 
nents returned from non-Java 
APIs," said Hornick of his pre- 
vious JSR. Rut despite the ben- 
efits of JDM 1.0, Hornick said 
that there was a lot of room for 
improvement in JDM 2.0. 

SIMPLIFY, SIMPLIFY 

He said that one of the major 
themes in Data Mining 2.0 is 
simplification. "We wanted to 
minimize repetitive specifica- 
tions. Imagine a genomic data 
set of 5,000 genes. You want to 
normalize the data so that all 
values are between and 1. Of 
course, you want to do this 
without having to list every 
single value. You shouldn't 
have to write 5,000 lines of 
code specifying every asset," 
said Hornick. 

Refore JDM 2.0, that might 
not have been so easy to do. 
Rut version 2.0 adds transfor- 
mation functions that can han- 
dle such actions with aplomb, 
said Hornick. 




One of the major themes in 
2.0 is simplification. 'We 
wanted to minimize repetitive 
specifications.' 

—Mark Hornick, senior manager in the Oracle 
data mining technologies group 



"Eighty percent of your 
time is spent on transforma- 
tions, while 20 percent is spent 
on modeling, and the fun part 
is the modeling," said Hornick 
of the reasons behind adding 
transformation capabilities to 
Java Data Mining 2.0. "So the 
data preparation part of the 
data mining interfaces allows 
you to perform data transfor- 
mations, such as outlier treat- 
ment. We also allow the speci- 
fication of expressions that can 
incorporate SQL commands," 
said Hornick. 

"We had the notion that in 
a database environment you 
have all your info in that data- 
base," said Hornick of the 
optimized data retrieval and 
extraction model in 2.0. "All 
you should need to do is pass 
to the database the customer 
ID and the model you want to 
score. So that's an optimization 
we included in 2.0. You can 
specify the identifier of the 
case you want and the model 
you want, and then you get the 
score back for that without 
having to retrieve that a sec- 
ond time." 

The new specification also 
includes facilities for mining 
text, though Hornick stated 
that the myriad methods of 
analyzing text necessitated a 
loose framework. 

"You can identify a column 
as being text, and we'll go 
through and do the term 
extraction for that and include 
the results with the remaining 
structure data. You can mine 
that and include that as part of 
the predictors for a given 
model," said Hornick. "We 
leave it up to the vendors' cre- 
ativity to decide what they 
want to do [from there].'' Hor- 
nick stated that further text 
analysis capabilities were 



numerous, but that the techni- 
cal committee of JSR 247 
decided to stop here. 

"In the future it might be 
appropriate to go to the next 
step and say, 'How do we want 
to extract from those?' " said 
Hornick. 

PRACTICAL APPLICATION 

As for possible real-world uses 
of the new Java Data Mining 
2.0 API, Hornick saw many 
potential targets. "Data min- 
ing is widely applicable in 
many different industries," 
said Hornick. "It's useful in life 
sciences, where you need to 
perhaps understand what is 
the likely outcome of a proce- 
dure for a patient. Real-time 
scoring is useful in retail, for 
example. Imagine you have a 
call center application, and 
you want to understand, 'What 
are the products I should be 
offering to this customer?' " 

Hornick added that retail 
and customer service applica- 
tions could be modified to 
determine whether or not a 
customer is likely to cancel a 
subscription, or switch to a 
competitor. Thanks to the 
enhanced real-time scoring 
capabilities added in JDM 2.0, 
said Hornick, all of these 
things can be determined 
while the customer is still on 
the phone. 

While the JSR 247 Web 
page lists June as the goal for 
completion of the specifica- 
tion, Hornick could not pre- 
dict when the final draft will 
be ready for a vote, due to the 
busy schedules of those in- 
volved in the project. 

One thing Hornick could 
predict, however, was that 
Oracle would be releasing 
software based on the new 
specification. I 
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loesyourASRNET 

server farm need help? 

E-commerce is unforgiving. Lost 
sessions and slow performance mean 
lost sales - and lost customers. 



Give your server farm the help il needs 
With ScaleOut StateServers 
distributed. In-memcry storage, you get 
blazing performance, scalability, and 

24x7 availabifity. 

Now you can avoid trading off 
performance to keep your fast-changing 
data safe. Whether you are storing 
ASP.NET session-state or caching 
application data across the farm, 
ScaleOut StateServer delivers 
rock-solid performance. 

Let our next generation technology help 
put you on the path to success. 



ScaleOut 
StateServer 

Scalable Workload 
Data Storage for 
Server Farms 







UBL 2.0 Wins Approval 
From OASIS as Specification 

Business language gets 23 new document types 



BY JEFF FEINMAN 

UBL 2.0, the Universal Business Lan- 
guage that provides users with a set 
of XML-based electronic document 
schemas, was approved as an OASIS 
standard last month. This version of the 
specification adds 23 new document 
types to UBL. 

OASIS is an umbrella organization for 
a number of XML standardization efforts. 
Founded in 1993, the not-for-profit group 
creates specifications for Web services 
and e-business. 

As a large portion of the funding for 
the new UBL schemas has come from 
the government of Denmark, Danish 
businesses are required to comply with 
UBL regulations. Denmark will be 
deploying 12 UBL documents into the 
private sector in 2007, with eventual 
savings to the country's businesses esti- 
mated at €550 million-€700 million 
annually. 

The United States, meanwhile, has 

used UBL schemas as the basis for the 

Electronic Freight Management initia- 
te O 

tive, which is currently under develop- 
ment by the U.S. Department of Trans- 
portation. The EFM is a project 
focused on improving speed and accu- 



racy of freight movement through 
methods such as standardizing informa- 
tion exchanges between supply chain 
partners. 

"With respect to the use of UBL lor 
the EFM project, I understand the 
decision was based on selecting an 
international and open standard that 
covered their requirements and was 
also mature and stable enough to 
implement," said Tim McGrath, vice 
chair of OASIS. "The U.S. [Dept. of 
Transportation] team have been very 
helpful in reviewing the UBL docu- 
ments and, in fact, helped us develop 
the Transportation Status document 
standard that forms a major part of 
EFM." 

According to Jon Bosak, distin- 
guished engineer for Sun Microsys- 
tems, development of UBL first began 
in 1997 with the creation of the Com- 
mon Business Language 1.0, followed 
by two more releases in 1999 and 2000. 
Sun eventually organized an OASIS 
technical committee to create an 
appropriate standard XML type for 
e-business. The first two versions of 
UBL, 0.7 and 1.0, were released in 
2003 and 2004, respectively. I 



Simultaneous Crawl And 
Audit New to Weblnspect 



BY JEFF FEINMAN 

SPI Dynamics announced 
on Jan. 29 the release of 
Weblnspect 7.0, the latest 
upgrade of the company's 
application security assess- 
ment tool. 

According to the com- 
pany, the key new feature 
is simultaneous crawl and 
audit, which allows a 
tester to audit the applica- 
tion while running the 
crawl at the same time. 
Weblnspect 7.0 also offers 
the ability to run multiple 
simultaneous scans from a 
single scanner and offers evolved state 
management to eliminate complexities 
of Web site authentication such as two- 
factor and Captcha, authentication 
protocols. All of this has made scan 
runs faster by at least 50 percent, the 
company claims. 

"No Web application scanner today 
works in this fashion," said Caleb Sima, 
CTO and founder of SPI Dynamics. 
"We've made the way that auditing in an 




Weblnspect 7. 
app auditing, 



application works com- 
pletely different." 

To make these new fea- 
tures possible, SPI Dynam- 
ics redesigned the prod- 
uct's engine with more 
capability to handle today's 
Web applications. Im- 
proved coordination bet- 
ween auditing and crawling 
and the ability to hand off 
information were also im- 
portant ingredients. 

"It's not easy making an 
automated product act like 
a user, and that's one of the 
key things we had to do to 
get this architecture in place," Sima said. 
"Think about the last Web application 
that you logged into, whether it's your 
bank or something similar to that, and 
the route that you take and the complex 
choices that you make while clicking on 
things. It's a very difficult thing to make 
an automated prodvict do that properly, 
and with all the technology involved in 
that, [it] requires a lot of work, and that's 
what we've put into this new version." I 
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Survey Suggests Offshoring Benefits 



BY DAVID WORTHINGTON 

Offshoring is a contentious top- 
ic that invokes strong opinions, 
but the reality is that software 
development has already 
become a process that spans 



the globe. The Software & 
Information Industry Associa- 
tion (SUA), an industry trade 
association, has released a 
report that concludes global 
software development is bene- 



ficial to business growth, and is 
on the rise. 

Some of the report's high- 
lights reveal that a vast majority 
of those surveyed consider off- 



shore work to be an "impor- profits. 



tant" or "critical" driver for 
their growth strategies. 

Respondents indicated that 
cost savings met projected goals 
and had a positive impact on 
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EASY to LICENSE 
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However, gains in productivi- 
ty did not always match expecta- 
tions. The report cites members' 
experiences that productivity is 
hampered when either party 
underestimates the amount of 
effort and adaptation necessary 
to make offshore development 
work. The governing construct is 
that partnerships are long-term 
and should not be viewed as 
quick, cost-cutting measures. 

Companies that send devel- 
opment offshore have not coa- 
lesced onto a single business 
model that achieves optimum 
results. Approximately half of 
businesses surveyed work 
directly with an offshore 
provider, a third operate a sub- 
sidiary, and the remainder 
employ a hybrid model. 

SIGNIFICANT RISE 

The report indicates that off- 
shore work has increased signif- 
icantly over the past 18 months 
among 57 percent of those sam- 
pled. What's more, those same 
companies are trending toward 
offshoring more work over the 
coming 18 months. 

Not every company surveyed 
exhibited readiness to embrace 
offshoring. Fear of losing con- 
trol is identified as the leading 
reason why some companies 
choose not to. The lagged 
response was nearly unanimous 
with 91 percent stating it was a 
"somewhat" or "very" important 
factor against outsourcing work. 

The basis for the report's 
findings is a survey that was 
sent to a random sample of 
SUA members, establishing a 
limited probability sample of 
114 respondents. 

Statistically speaking, the 
sample may not be reflective of 
the industry as a whole due to 
the small sample size taken. 

When questioned about this, 
an SUA spokesperson told SD 
Times, "While not statistically 
projectable to the software 
development industry as a 
whole, we believe the findings 
are highly indicative of the 
overall trends in the software 
and technology industry." 

SIIA's survey was conducted 
in partnership with Symphony 
Services, a purveyor of out- 
sourcing services. Symphony 
assisted in the development of 
the survey form and analysis, 
but did not finance the work. 

A copy of the report is avail- 
able at www.siia.net/software.l 
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Ruby In Steel Forges Ahead 

Add-in software brings Ruby coding support to Visual Studio 2005 



BY ALEX HANDY 

When Huw Collingbourne and 
Dermot Hogan started pro- 
gramming in Ruby, they felt 
something was missing. "We 
really missed Visual Studio," 
said Collingbourne of the 
code-completing, syntax-high- 
lighting IDE. Thus, the pair 
formed SapphireSteel Soft- 
ware to bring Ruby coders into 
Microsoft's venerable IDE in 
the form of an add-on. In early 
January, the developer edition 
of Ruby In Steel arrived, offer- 
ing IntelliSense support for 
Ruby for US$249 per user. 

'OVER 9,000 DOWNLOADS' 

For the past year, Colling- 
bourne, SapphireSteel's tech- 
nology director, and Hogan, its 
chief architect, have been gen- 
erating buzz through prelimi- 
nary releases of the personal 
edition of their software. Ruby 
In Steel Personal Edition has 
already had more than 9,000 
downloads, claimed Colling- 
bourne, and most of those have 
been from the United States. 

That personal edition is still 
free but does not include some 
features, such as a fast debug- 
ger, smart indenting and 
IntelliSense support. 

Collingbourne said that 
IntelliSense support was both 
a blessing and a curse during 
development. 

"IntelliSense poses some 
special problems when working 
with a language as dynamic as 
Ruby," said Collingbourne. "In 
languages such as C# or C++, 
the type of each variable has to 
be declared before it's used. 
That makes it easy for an 
IntelliSense system to deter- 
mine the appropriate methods 
to display in a code-completion 
list. In Ruby, not only are the 
types of variables not declared, 
but just to add to our problems, 
each variable can take on many 
different types in the course of 
a single program. In order to 
get good, meaningful Intelli- 
Sense, we effectively had to 
build our own Ruby interpreter 
to analyze the code as it is being 
entered." 

Collingbourne said that the 
toughest part was working with 
the largely nebulous areas 
behind Visual Studio. "Integrat- 
ing a language into Visual Stu- 
dio is extremely complicated. 



You have to make use of numer- 
ous COM interfaces, a great 
many of which are poorly docu- 
mented," said Collingbourne. 



The fast debugger, nick- 
named Cylon, is another of 
Collingbourne's favorite chil- 
dren. "The default Ruby debug- 



ger is notoriously slow. We 
believe we have, quite simply, 
the fastest Ruby debugger 
around. In the first release, it is 



limited to working in 'single 
threaded' mode. We will release 
a multi-threaded version of the 
debugger in a forthcoming 
update, and we still expect it to 
be the fastest there is," said 
Collingbourne. 

That update will be free for 
registered users, Colling- 
bourne added. I 
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Orchestration Strikes Chord at TIBCO 



BY P. J. CONNOLLY 

TIBCO Software stepped into 
the business process orchestra- 
tion pit last week with the release 
of BusinessWorks 5.4, which 
offers what the company claims 
is the industry's first support for 
BPEL (Business Process Execu- 
tion Language) 2.0, in an im- 
plementation of the OASIS 
WS-BPEL 1.1 specification. By 
integrating orchestration with 
the BusinessWorks ESB, the 
company claims the new release 
enables visibility into process 
execution, allowing exceptions to 
be handled more smoothly than 
might otherwise be the case. 

BusinessWorks 5.4 also in- 
cludes the ability to maintain 

Logi 8 Gets MAX, 
.NET Update 

BY DAVID RUBINSTEIN 

LogiXML in mid-January 
released Logi 8, the first update 
to its pure Web-based reporting 
platform in two years, that is now 
AJAX-based and compliant with 
Microsoft's .NET 2.0 Framework. 

The Logi 8 platform consists 
of the managed reporting tool 
Logi 8 Info, ad hoc and OLAP 
reporting tools, and Logi 8 
Mart, which can extract data 
from different sources to serve 
into reports, according to com- 
pany founder and CEO Annan 
Esraghi. "We rewrote the ad 
hoc reporting to make it more 
expandable," he said. "It now 
uses different reporting compo- 
nents, such as charts and data 
visualization, so the emphasis is 
on the presentation part." 

Logi 8 Info, which is used by 
developers to build reports, 
now has AJAX dashboards that 
can accept panels from differ- 
ent data sources for creating 
analysis grids in more interac- 
tive ways, Esraghi explained. 

Also new in this release is an 
enhanced PDF rendering engine 
that processes HTML to PDF 
based on style sheets, so die ren- 
dering will be predictable. 

Esraghi described the intro- 
duction of the iPhone by Apple 
CEO Steve Jobs at January's 
Macworld as "revolutionary. It's 
a full version of the Safari 
browser on a mobile phone. 
Any Web site you can run on 
the Macintosh, you can run on 
the phone." This, he said, could 
create more opportunities for 
businesses to deliver Web- 
based information to the field. I 



contexts derived from external 
identity management systems 
throughout a BusinessWorks 
process, through the use of mod- 
ular security architecture. The 
company expects that enhance- 
ments to the data transformation 



engine in the new release will 
improve performance in real- 
world use. 

BusinessWorks 5.4 also 
allows the monitoring of dis- 
tributed transactions with the 
company's Hawk and Enter- 



prise Management Advisor 
tools; in-flight transactions and 
transaction metrics can be ana- 
lyzed for process optimization 
or troubleshooting. 

The new version also in- 
cludes support for a number of 



64-bit operating-system plat- 
forms, including AIX, HP-UX, 
Linux and Solaris. It also adds 
the latest revisions of Microsoft 
SQL Server and Oracle lOg to 
the list of supported relational 
database management systems, 
as well as Jakarta 3.0.1 and 
Tomcat 5.5 from the Apache 
Software Foundation. I 
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For Manufacturers, Manual Processes Rule 



Study finds only 8 percent rely solely on technology for compliance 



BY JENNIFER DEJONG 

Most manufacturers still rely on 
manual processes to comply 
with government mandates. 



That is the key finding of the 
"Compliance and Traceability in 
Regulated Industries Bench- 
mark Report," published by 



Aberdeen Group in late 
December. Only 8 percent of 
the manufacturers surveyed 
have eliminated pen and paper 



or manual spreadsheet pro- 
grams for the compliance and 
traceability programs, the stvidy 
found. Furthermore, only 24 
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percent of manufacturers sur- 
veyed have implemented tech- 
nology solutions with both pro- 
duction process visibility and 
automated traceability function- 
ality, according to the report. 

Automating compliance ef- 
forts is likely to become increas- 
ingly important, given the grow- 
ing number of regulations to 
which manufacturers are subject. 

Some mandates, such as the 
Clean Air Act, which originated 
in 1963, apply across all manu- 
facturing sectors, noted Aber- 
deen analyst Matthew Little- 
field. Others vary by industiy. 
For example, pharmaceutical 
firms must adhere to Food and 
Drug Administration regula- 
tions. And car makers must 
comply with a set oi rules known 
as TREAD (for Transportation 
Recall Enhancement, Account- 
ability and Documentation) to 
trace where auto parts came 
from. Another recently enacted 
regulation is the Bioterrorism 
Act of 2002, which mandates, 
among other things, that food 
and beverage companies report 
who they buy from and who they 
sell to, Littlefield said. 

Companies that use technol- 
ogy are more likely to achieve 
higher rates of compliance, he 
said, citing a key conclusion of 
the report, which was under- 
written in part by companies 
that sell software to manufac- 
turers, including Cincom, IQS, 
MasterControl and SAE 

The report found that the top 
20 percent of those surveyed 
achieved compliance rates of 98 
percent, Littlefield said. Find- 
ings were based on a survey of 
340 companies in the pharma- 
ceutical, medical device, food 
and beverage, aerospace and 
defense, automotive and other 
industries. Companies that 
achieved high rates of compli- 
ance had integrated compliance 
and traceability measures with 
production processes, and with 
enterprise applications, includ- 
ing ERF (Enterprise Resource 
Planning) systems, QMS (Quali- 
ty Management Solutions) and 
MES (Manufacturing Execution 
Systems), Littlefield said. 

A key reason why manufac- 
turers have been slow to auto- 
mate compliance efforts is that 
such efforts have traditionally 
been viewed as a "cost of busi- 
ness," the report said. But that 
perception is changing. When 
compliance and traceability 
efforts are integrated with 
enterprise applications, manu- 
facturers can gain a competitive 
advantage, Littlefield said. I 
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Dynamic Web Remoting: RMI for the Web 

Software based on 2.0 spec facilitates Java communication with JavaScript 



BY ALEX HANDY 

DWR is the acronym for Dynam- 
ic Web Remoting, a project 
aimed at giving Java developers a 
way to interact with the 
JavaScript that makes browser 
interactions more functional. Ver- 
sion 2.0 of the DWR project is 
nearing completion, and should 
be available as you read this. 

Joe Walker, an independent 
developer and consultant 
behind the DWR effort, said 
that DWR provides an easy 
path for developers looking to 
build sites with Java behind and 
JavaScript in front. "Given a 
small amount of configuration, 
you can use Java functions in 
JavaScript almost exactly as if 
they were in the browser, and 
not on the server, and in reverse 
it allows the server to asynchro- 
nously execute JavaScript on 
the client," said Walker. 

DWR consists of a Java 
servlet on the server that 
processes requests, and 
JavaScript running in the 
browser that sends the requests 
and can dynamically update the 
Web page. DWR generates 
JavaScript based on Java class- 
es, but the server is executing 
the code, according to the Web 
site getahead.ltd.uk, Walker's 
Web site that hosts the DWR 
software and effort. 

NEW REVERSE CAPABILITIES 

The new version of DWR adds 
reverse AJAX capabilities, with 
comet (long-lived), polling and 
piggybacking methods of asyn- 
chronously transferring mes- 
sages. These new reverse capa- 
bilities are refined to lessen the 
bandwidth burden on servers, 
said Walker. 

Also new to this version are 
security features that Walker 
claimed will help to prevent 
cross-site scripting attacks, as 
well as cross-site request 
forgery exploits. Version 2.0 also 
adds the first code to generate 
JavaScript from a Java API. 

Wilker added that DWR is 
flexible enough to be used in a 
variety of different models. "A 
lot depends on how you want to 
work," said Walker. "DWR will 
support having a totally client- 
side data model, and syncing 
infrequently, or you can use it 
to publish changes as they hap- 
pen. You can think of DWR as 
RMI for the Web," said Walker, 
referring to Remote Method 



Invocation. 

DWR will also work with 
JSP and JSF, said Walker. These 
existing Java Web faculties 
aren't required, however. "It's 



not an either/or," said Walker. 

TIRCO Software is kicking 
money and work to the DWR 
project, and likely will integrate 
it with the TIRCO General 



Interface software. 

"We have many customers 
already using DWR with the 
General Interface Ajax library," 
said Kevin Hakman, TIRCO's 



director of product marketing. 
Walker expressed a hope that 
the TIRCO funding would help 
to push DWR further into the 
RIA space. I 
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Sybase iAnywhere Goes Multi-Everything 

SQL Anywhere 10 adds support for AIX, HP-UX, Mac OS X, Solaris; now runs on Itanium hardware 



BY P. J. CONNOLLY 

Recognizing the increasing use 
of Apple hardware and soft- 
ware in high-performance, 
front-line environments, Sy- 
base's iAnywhere subsidiary 
used January's Macworld Con- 
ference and Expo in San Fran- 
cisco as the launch site for a 
version of SQL Anywhere 10 
that runs on Intel-based Macs, 
including a free Developer 
Edition of SQL Anywhere 10 
for Mac OS X. 

Sybase's announcement 
claimed this to be the first data- 
base to offer bidirectional syn- 
chronization between enter- 
prise database servers and 
databases on Apple's new hard- 
ware platform. SQL Anywhere 
allows developers to use a vari- 
ety of development tools in cre- 
ating powerful applications that 
require multiple data access 
interfaces. 

Sybase iAnywhere's defini- 
tion of the "front lines" is broad: 
It embraces the obvious cases 
of the mobile user armed with a 
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The GUI front end in SQL Anywhere 10 for Mac OS X allows developers to have fine-grain 
control over the customization and optimization of a database. 



laptop or other personal device 
and the branch or remote office 
scenario, but goes further, 
according to Chris Kleisath, 
senior director of engineering 
for Sybase iAnywhere. The 
small- or medium-size enter- 
prise that lacks a dedicated IT 



staff is included as a "front 
lines" example, as is the 
instance where the database is 
embedded inside an applica- 
tion; Kleisath pointed out that 
Intuit QuickBooks uses SQL 
Anywhere under the hood. 
The new release takes ad- 



vantage of the Intel 
Core2Duo proces- 
sors that Apple began 
using in its hardware 
last year, Kleisath 
noted. "On the new 
machines that have 
dual-core processors, 
this will enable one 
query to be split 
across both of those 
processors, for better 
performance." 

He also observed 
that iAnywhere "fits 
in quite nicely with 
the target market for 
the Mac," people 
who want computing 
power but want it in 
an attractive, accessi- 
ble package. 



MORE PLATFORMS 

At the same time, Sybase iAny- 
where announced that SQL 
Anywhere 10 had been released 
for a number of other platforms, 
including Itanium for Linux and 
Windows, HP-UX on Itanium 



and PA-RISC, Solaris for 
SPARC and*64, AIX and Novell 
Netware. It had previously been 
released for Windows Mobile, 
and both Linux and Windows on 
x86 andx64 hardware. Palm OS 
and Symbian OS devices are 
supported through the SQL 
Anywhere UltraLite database 
management system, which also 
runs on Windows and Windows 
Mobile and uses SQL Anywhere 
MobiLink for synchronization 
with enterprise databases. 

To address the needs of 
Sybase iAnywhere's overseas cus- 
tomers, the subsidiary announced 
that French and German versions 
of SQL Anywhere 10 with fully 
localized documentation, packag- 
ing and software are now avail- 
able, and also confirmed plans to 
provide fully localized Japanese 
and Simplified Chinese editions 
of the product in a forthcoming 
maintenance release. Key soft- 
ware components of SQL Any- 
where have been localized for a 
number of Asian and Indo-Euro- 
pean languages. I 
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Oracle Updates Free SQL Developer Tools 

Package lets users browse third-party databases, adds version control support 



BY P. J. CONNOLLY 

The nice thing about free 
developer tools is that they fit 
within everyone's budget, but 
the downside is that the 
providers may not refresh the 
codebase often enough for the 
giveaway to retain its useful- 
ness. Oracle seems to have 
learned that lesson, as seen in 
the latest update to the free 
Oracle SQL Developer. 

SQL Developer provides its 
users with a graphical front 
end for database development. 
The package includes an 
object browser, report creation 
and generation tools, and 
script and statement genera- 
tors. The new release now 
allows users to browse data in 
third-party databases, includ- 
ing Microsoft's Access and 
SQL Server, as well as MySQL, 
using extension technology 
from the company's forthcom- 
ing Migration Workbench. 

Sue Harper, senior principal 
product manager at Oracle, 
explained that SQL Developer 
was meant to be a simple yet 



powerful supplement to the 
command line: "The idea was to 
provide a tool that's a quick 
install, quick to start using... 
and has a lot of drag-and-drop 
functionality" The need for 
such a tool must have been 
acute; according to Harper, the 
1.0 release had been down- 
loaded 394,000 times between 
March and December 2006, 
placing third among all down- 
loads from Oracle's Technology 
Network. 

The new release of SQL 
Developer has a myriad of 
small enhancements, but 
Harper pointed to the tool's 
new interoperability with ver- 
sion control systems as a partic- 
ularly useful improvement. 
"We've added what we call 
'file-based PL/SQL support,' 
which means that they can 
open their files in SQL Devel- 
oper, make their changes to the 
code, compile it [if necessary], 
and then check it back in." 

Another major improvement 
Harper cited was the Object 
Navigator, the back end of 




The new report options in SQL Developer 1.1 provide detailed views into 
data, as in this master detail report. 



which was completely rewritten 
for the new release. She 
claimed that now, "users can fil- 
ter objects quite easily," a fea- 
ture especially important to 
application developers. 

Reporting also got some 
attention in the new release, 
Parker observed. "We've 
added the ability in 1.1 for 



users to create what we call 
'Master Detail Reports,' and to 
have charts, giving users a 
chance to see the impact of 
their data, or the way it is laid 
out," Parker said. 

The new release, SQL 
Developer 1.1, runs on Linux, 
Mac OS X and Windows, and 
works with Oracle Database 9i 



Release 2 and the Oracle lOg 
database family. 

LOOKING AHEAD 

Harper also noted that another 
release of SQL Developer is 
expected for late this year. The 
planned release will focus on 
support for the forthcoming 
Oracle llg database, she said: 
"We would like the users of SQL 
Developer to be able to take 
advantage of die llg features" as 
early as possible. 

Oracle also announced its 
latest developer community 
site, the SQL Developer 
Exchange. Accessible at 
sqldeveloper.oracle.com, the 
site features the customary 
array of code snippets, devel- 
opment team blogs and forums 
for community discussion. 

"We're asking [developers] 
questions: What aspects of the 
product are they using, what 
do they like or not like, and 
we're taking that information 
and trying to roll it back 
into the product," Harper 
explained. I 
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Salesforce's Apex On-Demand Platform Comes Out 



BY JEFF FEINMAN 

Salesforce.com has released its 
new on-demand platform and 
the Apex language, which is 
used lor constructing on- 
demand applications inside of 
its AppExchange system. 



The ApexConnect platform 
encompasses a feature set for 
building business applications 
such as data models and objects 
to manage data, a workflow 
engine for managing collabora- 
tion of data between users, a 



user interface mode for handling 
forms, and the Apex Web ser- 
vices API for mashups and inte- 
gration with other applications. 

Apex will run completely on 
Salesforce. corn's service. Its 
platform has a multi-tenancy 



feature, which means it can 
ease the hosting of application 
information within back-end 
databases. The platform has a 
single infrastructure and a cen- 
trally maintained codebase 
that can be shared by all users 
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and upgraded simultaneously, 
according to the company. 

"Now you can create the 
next Salesforce.com," said Marc 
Benioff, chairman and CEO of 
Salesforce.com. 

The Apex language, which was 
introduced by Salesforce.com 
in October 2006 for developer 
preview, can be used to build 
applications from scratch and 
then expose them externally as 
Web services. Additionally, the 
language can be used to supple- 
ment existing Salesforce.com 
applications and to customize 
their functionality. 

Salesforce.com will be intro- 
ducing new services for hopeful 
software-as-a-service vendors 
throughout 2007, including 
development support, venture 
capital solicitation and even the 
option for developers to rent a 
cubicle in Salesforce headquar- 
ters for US$20,000 per yearl 

Symantec Creates 
Dashboard For 
Performance 

BY JEFF FEINMAN 

Symantec has announced that 
it has expanded its Application 
Performance Management port- 
folio by adding an Application 
Service Dashboard, which inte- 
grates monitoring analysis view- 
points onto a single screen. 

The information security 
company also announced the 
newest version of Symantec 
Insight Inquire, its monitoring 
solution. 

The Application Service 
Dashboard can be customized 
to a specific job function, and 
can also display the perfor- 
mance of multiple applications 
in a consolidated environment. 

Insight Inquirer provides 
agentless, real-time monitoring 
by using synthetic transactions, 
which are browser-based re- 
corded transactions. "It is quick 
time-to-value as far as what's 
going on with my application; it 
is running and looking at it from 
a 24x7 perspective," said Rob 
Greer, director of product mar- 
keting for Symantec's Server 
Foundation and APM products. 

One of the newest enhance- 
ments to Insight Inquire 3.0 
is an embedded database, so it 
no longer depends on Oracle 
or Sybase for the product's 
performance and availability 
metrics. I 



I 

Simplicity. 



Build better Uls with 
our JSF components. 





liH 












t-urriu jnr Name 


CB.v 


CuunLr> 




• 


ACK 




C**btr»» 


MS 




- 


lnfr*gi*fci» 


Bt«> Wmdinr 


UU 


* 


ti¥U 

i 1 


nmrawTwr j 


Hr.( Nnmt 


Loll r 




Hidop Number 1 


Mm 


P jtfj-ar* 


K if iim .WJalf TonVFu !imt£oir< 


*63-t+K 


WnMl 


Own 


IhhhI P .-SnuMtnnr onn*enan .com 


na-4m 


■J^v 


5*iiiii,-<|. 


pgimtr.N i ;w«#MitwikitSDl)tHMQffl.)M 


lif WO-WIH 


ElhH 

Tim 


M^pp* 


fJttiD nat»P**3ijl ■fTBl.e^u 


tv^u 


Fun at i 


Mn 




1 


Doll 




London 


UK 




*■ 


HutwiuB 


W| 


Mr 













Now Available! 

NetAdvantage 

for JSF 2006 Volume 2 

AJAX-enabled JavaServer™ Faces components 
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data in nested grids 

Maintain Readability - Fixed Columns keep critical column data in view while your users scroll 

Built-in Flexibility - Our APIs allow incredible interactive experiences on the web 

Great User Experience - Our AJAX-enabled components turbo-charge your web applications 
for a rich client Ul experience 
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Fortify to Buy Competing App Security Firm 



BY JENNIFER DEJONG 

In what may be the first 
sign of consolidation in 
the application security 
market, Fortify Soitware 
in mid-January an- 
nounced plans to buy a 
competitor. 

The Palo Alto, Calif- 
based company has enter- 
ed a definitive agreement 
to acquire McLean, Va.- 
based Secure Software. 
The terms of the sale 
were not disclosed, but a 
statement released by 
Fortify said the acquisi- 
tion includes "certain 
intellectual property, cap- 
ital assets and skilled resources." 

Both companies sell source code 
analysis tools, which find and fix security 
flaws early in the development life cycle, 
before a hacker could exploit them. Forti- 
fy plans to incorporate some aspects of 
Secure Softwares CodeAssure into its 
own Source Code Analysis (SCA) tool, but 
it will not sell CodeAssure as a separate 
offering. "We will support CodeAssure in 
the short run and transition those cus- 
tomers to Fortify SCA," said Fortify CEO 
John Jack, in a phone interview wifii SD 




Fortify has acquired the license 
rights to CLASP, notes Jack. 



Times. "Both products 
approach source code 
analysis in a similar fash- 
ion." The Fortify offering 
is essentially a superset of 
CodeAssure, he said. 

The acquisition isn't 
about products, said Voke 
analyst Theresa Lanowitz. 
It's about CLASP, Secure 
Software's methodology 
for addressing application 
security at each stage of 
the application life cycle. 
CLASP (which stands for 
Comprehensive, Light- 
weight Application Secu- 
rity Process) has some 
real weight behind it, she 
said. Fortify s offerings align with the 
stages of CLASP, in much the same way 
that IBM Bational tools align with those 
of the Bational Unified Process, she said, 
referring to IBM's lightweight develop- 
ment methodology. "I see this [acquisi- 
tion] as analogous." 

Fortify has acquired, among other 
assets, the license rights to CLASP, 
which Secure Software donated to the 
Open Web Application Security Project 
last year, noted Fortify's Jack. "We have 
acquired the brainpower behind it," he 
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said. Fortify was expected to complete 
the sale by the end of January. 

But how much of that brainpower 
will actually assume a role at Fortify 
isn't yet clear. Secure Software CEO 
Kevin Kernan is not staying on. "I will 
assist in the transition," he said. "And 
some number of employees will come 
across." But who, and how many has yet 
to be determined, said Jack. John Viega, 
CLASP's principal author, left Secure 
Software last year to join McAfee, noted 
Kernan. 

MORE CONSOLIDATION AHEAD? 

SPI Dynamics' security evangelist 
Michael Sutton said consolidation is like- 
ly to take the form of companies that sell 



source code analysis tools teaming up 
with those that sell so-called black-box 
testing tools. "The two will converge." 

Black-box tools test applications by 
attacking them, much the same way a 
hacker would. 

A more interesting question to 
Voke's Lanowitz is: When will a big 
application life-cycle management 
player buy an application security com- 
pany? "I expect one of them is going to 
make that kind of statement," she said, 
referring to Compuware, IBM, HP and 
Microsoft. Secure Software's Kernan 
didn't disagree. "They are keeping a 
close ear to the ground on this space. I 
think we will see that in late 2007, or 
early 2008." I 
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Sun's WS-* Integrations 
A Collaborative Success 



-4 continued from page 1 

ing of these specifications, a process that 
has subsequently taken place in the 
OASIS standards body. 

While Kassem does not take credit 
for spurring Microsoft to open its speci- 
fications, he does take credit for identi- 
fying the specs that were most important 
to interoperability. The first of these was 
WS-Addressing. "[WS-Addressing] was 
really the first case in the Web services 
community of a formal way of referenc- 
ing end points," said Kassem. 

Kassem went on to place bulls-eyes 
on a number of other WS-° specifica- 
tions, targeting them for implementa- 
tion on the Java side of the fence. These 
included WS-Policy, WS-Security, WS- 
Security-Policy, WS-Trust, WS-Beliable 
Messaging, WS -Coordination and WS- 
Atomic Transaction. These specifica- 
tions, Kassem decided, wovdd most 
directly require interactions with non- 
.NET systems. 

Since Kassem's first trip to Redmond, 
Sun's Project Tango has grown to include 
all of these and a few more WS-* specifi- 
cations. Kassem's team has built facilities 
for these protocols to interact with Java 
environments. So effective has Kassem's 
team been that Microsoft has even 
praised Sun for creating the best imple- 
mentation of the WS-* specifications out- 
side of its own. This from the company 
many consider to be Sun's arch nemesis. 

CAN'T GET FOOLED AGAIN 

Kassem said that his role in this high- 
profile project has been helped along by 
learning from prior Sun mistakes. 

"We chose not to spin up JSRs 
around these," said Kassem. "We want- 
ed to preserve the investment our cus- 
tomers had made in technology that 
already had traction, such as JAX-WS 



and JAX-B. We didn't want to turn 
interoperability with Vista into a whole 
new set of APIs to learn. So, for exam- 
ple, folks who are customers who have 
invested in EJBs — we didn't want to 
have to introduce a whole new pro- 
gramming model so they could imple- 
ment WS-Atomic Transaction and WS- 
Coordination." 

Another key to the success of Project 
Tango, said Kassem, was his insistence 
that tooling be available as soon as the 
interoperability code was released. 

"Tooling typically lags," said Kassem. 
"We didn't want to repeat some of the 
things we'd done in the past. We wanted 
to make sure we had a good user experi- 
ence on the tooling front, too. Within 
weeks of the Glassfish beta program, we 
were spinning up proof-of-concept 
activities," said Kassem. 

Much of Project Tango's real-world 
experience has come from Glassfish, 
Sun's next-generation application server. 
Kassem said that the WSIT capabilities 
in Glassfish are now mostly complete, 
and that his team is primarily working on 
bug fixes. The team's NetBeans tooling, 
built specifically to deal with the 
WS-° specifications, has helped to speed 
the deployment of these interoperability 
capabilities, said Kassem. 

So, despite the years of bad blood 
between Sun and Microsoft, it would 
appear that their collaboration has been 
a success. Kassem deems it a success as 
well. "We've had a very amicable and 
good relationship. We're pleased with 
the overall interaction models," said 
Kassem. "Engineer-to-engineer interac- 
tions are always healthy. It's been useful 
for us because we wanted to make sure 
we didn't have paper-level interoperabil- 
ity; we have real-world product-level 
interoperability." I 
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Telerik Embraces AJAX r Vista in Ul Tools 



BY P. J. CONNOLLY 

Telerik announced the availabili- 
ty of its radControls Q4 2006 
user interface components for 
ASP.NET and Windows Forms. 
The WinForms edition allows 
developers to build applications 



with the look-and-feel of Micro- 
soft's recently released Windows 
Vista, and the ability to run on 
Windows 2000 and XP as well as 
Vista. 

It also offers an implementa- 
tion of Office 2007's Ribbon 



interface, with the context-sensi- 
tive architecture and the new 
Key Tips for keyboard navigation 
in the Ribbon. The radPanelbar 
control adds an Outlook-style 
element to the interface, allow- 
ing hierarchical navigation and 



use of a column display, while 
the Shape Designer lets design- 
ers use nontraditional shapes 
easily, without special coding. 

Meanwhile, radControls for 
ASP.NET Q4 2006 adds an 
updated editor, an enhanced 
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radGrid 4.5, and radChart 3.0. 
The new radChart includes 
advanced data-binding features, 
a chart wizard, and full Visual 
Studio 2005 design time support. 
The WYSIWYG radEditor 7.0 
now offers inline spell-checking, 
and AJAX-based spell-checking 
in the integrated radSpell 3.0, 
with the aim of error-proofing 
code at its simplest level. The 
entire suite has been tweaked to 
support the release candidate of 
Microsoft's ASP.NET AJAX 
implementation, as well as the 
final version, and includes full 
C# and JavaScript source code. I 

CodeWeavers 
Crosses Over 
To Macintosh 

BY P. J. CONNOLLY 

The Wine Project, now in its 
14th year, began as an attempt 
to develop a translation layer 
that would allow POSIX systems 
to run Windows applications. 
The obvious advantage over 
virtualization lies in eliminating 
the additional maintenance and 
overhead of the guest operat- 
ing system. CodeWeavers, the 
corporation most closely iden- 
tified with the Wine Project, 
recently updated its product 
family, refreshing and renam- 
ing one member while adding 
another. 

CrossOver Linux 6.0, former- 
ly CrossOver Office, now offers 
improved support for popular 
games, including World of War- 
craft. Many business applications 
also work on CrossOver Linux; 
the new release now allows the 
use of Microsoft's Project 2003 
and Visio 2003. 

CodeWeavers also released 
CrossOver Mac, for Apple's 
Intel-based systems, at the Mac- 
world Conference and Expo in 
San Francisco. The Mac edition 
also supports a wide range of 
business applications, as well as 
popular games. 

The company offers a Com- 
patibility Center on its Web 
site, allowing interested users 
to verify the support for a given 
application; there were 2,587 
applications listed in the data- 
base as of Jan. 11. If the de- 
sired application meets the 
highest standard of compatibil- 
ity, it goes into the database 
with a so-called "gold medal"; 
there were 13 applications at 
this level, also as of Jan. 11. I 
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AVIcode Ships Always-On Monitoring 

Latest Intercept Studio geared to watch post-deployment behavior 



BY JEFF FEINMAN 

Testing doesn't stop when the 
software is shipped — or even 
when it's installed onto an enter- 



prise server. Developers and 
testers have expectations for 
how the software should behave 
post-deployment, and according 



to AVIcode, now there's a tool 
that can see if .NET server apps 
meet those expectations. 

The latest version of Inter- 



cept Studio, released last 
month, now offers both a per- 
application and a system-level 
view of key performance indi- 
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cators, sending that data back to 
both administrators and devel- 
opers. The company calls this a 
"concurrent view" of both 
application failures and perfor- 
mance bottlenecks. 

"Concurrent monitoring was 
really born out of a need to con- 
tractually support some of the 
systems that were being devel- 
oped in a 24x7 manner and 
ensure uptime to avoid signifi- 
cant penalties. The basic 
premise around the product is 
that its not always just perfor- 
mance monitoring, but how do 
you address when the applica- 
tion fails," said Chris Childers, 
product manager at AVIcode. 

Intercept Studio 4.0, which 
is priced starting at US$12,000 
for a single monitoring console 
and one server agent, allows IT 
teams to view the health status 
of their system and their appli- 
cation from the application 
point of view. An on-the-fly 
configuration feature enables 
faster customization of data col- 
lection thresholds and triggers. 
Additionally, Intercept Studio 
4.0 provides monitoring for 
applications running on the 64- 
bit .NET 2.0 architecture. I 

VersionOne Agile 
Platform Updated 

BY DAVID RUBINSTEIN 

Customization, integration and 
simplified planning are the hall- 
marks of the 6.4 release of Ver- 
sionOne s VI management plat- 
form for agile development. 

The new edition offers users 
the ability to define custom 
fields. As founder Robert 
Holler explained, "Agile tools 
normally won't classify fields 
the way a user does." 

Also new is Windows inte- 
gration authentication, with 

single sign-on against a Win- 
es o o 

dows domain, and integration 
with automated testing tools, 
Holler said. 

A new feature planner pro- 
vides a single environment for 
viewing, entering and editing 
tasks, tests, estimates and priori- 
ties, Holler said, "so I don't have 
to go to three different places to 
see a feature and its associated 
assets." Templates automatically 
generate defaulted values, tasks 
and tests when a new feature is 
entered, he added. I 
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p» y« What could be easier? Studio Enterprise accelerates 

visual development with drag and drop tools that simplify ttie design-time experience 
and extend the power of Visual Studio 2003, Now you can develop cutting-edge 
interfaces and add the most sophisticated feature sets to your Windows, Web, and 
Mobile applications wffri less code and In less time than ever before. 
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NEW VERSION 
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Document Imaging 
Catches Air. 

Using Atalasoft Imaging Toolkits your business 
can create applications that save time and 
money. Our .NET imaging components are 
designed exclusively for the Microsoft .NET 
Framework, offering developers Photographic 
and Document imaging for web and windows 
based applications featuring AJAX-enabled 
web imaging, PDF support, data capture, 
scanning/OCR, barcode reading systems, image 
management, and archiving just to name a few. 
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Mobile Platform Devices 
Become Data Collectors 

Microsoft unveils AURA research project 
aimed at sensor-based applications 



■u 
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Source 1 



BY P. J. CONNOLLY 

Mobile sensor-driven 
applications moved a 
step closer to reality in 
late December, when 
Microsoft announced 
the availability of so- 
called "research proto- 
type" technology for 
the Windows Mobile 
platform. The AURA 
(Advanced User Re- 
search Annotation) Sys- 
tem is a dispatch loop 
manager lor mobile 
devices that can work 
with a variety of sen- 
sors to collect data. 

Marc Smith, the 
senior research sociologist leading 
Microsoft Research's Community 
Technologies Group, explained, "The 
mobile device is more than a phone. . .it 
can be seen as an object-triggered 
information retrieval system. As 
machines come to be able to sense the 
world around us, they can react to, and 
provide, information associated with 
that world." 

Accelerometers, Bluetooth beacons, 
cell towers, GPS devices and RFID tags 
are all examples of sensors that can pro- 
vide data to a mobile device for con- 
sumption by a central application. The 
AURA project's goal is to give develop- 
ers an application framework that can 
forward the collected data and metadata 
to a central server, for monitoring or 
archival purposes. 

The project's prototype is a Web 
application that allows users to scan 
product bar codes on a Windows Mobile 
Phone, which then contacts the Web 
services that identify the product. The 
Web service collects the available meta- 
data and launches a browser window on 
the device that provides the user with 
more information about the product. 
They can then provide their own feed- 
back on the item through the AURA 
community Web site, or view the com- 
ments of others. 

Smith observed that the bar codes on 
the media and grocery items in the 
AURA prototype's database provided a 
way to link to more information on the 
individual products, via the Internet. 
The point of the prototype, he ex- 
plained, was "bridging the gap between 
the physical object and its digital 'aura,' 
if you will, the cloud of information rel- 
evant [to] and associated with that object 
bridging the vast stores of information 
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The AURA client uses Web services to manage metadata 'payloads' 
while providing a simple interface for sensors. 



on the back end with the mobile device 
on the front end, and triggering it based 
on, 'Hey, look at what I'm looking at, 
Computer!'" 

According to Smith, one of the 
unforeseen technical hurdles that came 
up when adapting cell phone cameras 
as bar code readers was optical: "One of 
the things we had to do was to set the 
cameras to a lower resolution than they 
are capable of." Focal depth was also a 
problem, since with most cell phone 
cameras, "if you're close enough to see 
it, you're close enough to blur it," he 
recalled. 

But the vision of AURA extends far 
beyond shopping, or even supply-chain 
management. Oil exploration is one 
example Smith cited of an industry that 
had particularly acute requirements for 
interactive mobile data collection. "The 
architecture of the client is such that any 
number of additional sensors, and the 
events they fire, could be used," he not- 
ed. "Part of what we're demonstrating is 
that this is now moving down to con- 
sumer-grade hardware." 

Smith is especially proud of the ease 
with which one can redirect the AURA 
client to a new set of resources: "It 
requires a text editor and a couple of 
lines of XML." 

Although the project is officially a 
beta, Smith noted, "the pieces actually 
fit together, and they work. The ques- 
tion now is, what are the compelling 
scenarios? We would like to see enter- 
prise developers start chewing on 
this and see if they can find other 
applications for it." The AURA client 
is available at the project Web site, at 
aura.research.microsoft.com/Aura; 
registration is required to use the 
prototype application. I 
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for ASRNET 2006 Volume 3 

The World Leader in AJAX-based ASRNET User Interface Components 

AJAX-Powered - Plot a successful course into the future with our extensive AJAX capabilities. 

WARP Panel - Eliminate postbacks forever with the WebAsyncRefresh Panel .™ Just Drag-n-Drop 
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WINDOWS® FORMS ASRNET WPF JSF 

grids scheduling charting toolbars navigation menus listbars trees tabs explorer bars editors 
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Introducing Folder Diff, 

a productivity feature of Perforce SCM, 

Fold*r Diff \i on fr>i*r«ciiv*, sid^-by-slda display For comparing rhe sial« of 
any two groups of files. 

Use Fold or Diff To quickly dttermine llie differences between files fn folders, 
branches, labels, or your local disk. This is especially useful when 
performing tumpJe* code merger 

And when you r vo bean working offlin*, Folder Diff makes it a snap \o 
reconcile and eotth up wilh llie Perforce Server when you gel bock online. 

Folder Diff is just otic of The itiany productivity loots thai torne with Iho 
Perforce SCM System. 
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Download a free copy of Perforce, no questions 

asked, frc-m www.aerfcHpee.eom, Free technical support lis 
available throughout your evaluation. 
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Veracode Offers On-Demand Binary Scan 



■* continued from page 1 

the RSA Conference in early 
February. Veracode CEO Matt 
Moynahan said, "To get com- 
plete coverage of any applica- 
tion or any software, you have 
to look at the l's and O's as 
opposed to source code." 

Veracode, said Moynahan, 
is an on-demand service. 
Clients pay per megabyte to 
upload their binaries to the 
Veracode Web site, where 
automated security analysis is 
performed. Moynahan said 
that his company will offer a 
service-level agreement for 
completing all scans within 
one to three days of the upload 
being completed. 

Binaries uploaded to the 
Veracode service will be sub- 
jected to scans for buffer over- 
flows, code injection points 
and lack of encryption in cru- 
cial spots, said Moynahan. The 
service will also scan binaries 
for known rootkits and Trojan 
horse code, and as the service 
expands, Moynahan claimed it 
will be able to find obfuscated 
backdoors that have perhaps 
been injected by malicious 
internal coders. 

"What's unique to me was 
the notion that doing code 
analysis at the binary level 
reduces the concerns around 
IP," said Moynahan. Without 
relying on possession of the 
original source code being used 
by a team, Veracode offers 
developers a way to run securi- 
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ty analysis against third-party 
code that is used in conjunction 
with first-party projects. 

But despite Moynahan's 
claims of IP cleanliness, the 
Veracode system remains to be 
tested against even the most 



modest of third-party end-user 
license agreements, most of 
which forbid the redistribu- 
tion of binaries. Uploading a 
binary to an outside Web site 
could be seen as redistribution 
under some EULAs. 



Veracode will also offer 
consulting services to help 
developers fix the holes dis- 
covered by its automated 
service. The initial version of 
Veracode will offer scans of C 
and C++ code, and Moynahan 



promised that Java analysis 
would also be available by 
the time of launch in Febru- 
ary. Future additions to the 
platform should include the 
ability to scan PHP and C# 
applications. I 
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Java SE 6 Seen as Improvement 



-4 continued from page 1 

snapshot and run it through its 
paces. The binaries that were 
released also helped a lot. Even 
Apple managed to squeeze out a 
few preview releases, something 
unheard oi for a nonfinal version 
of Java previously." 

As he became more familiar 
with Java SE 6, Suleiman said 
that he fell in love with the incre- 
mental updates. "The best 
changes are perhaps in the 
details, rather than the big shiny 
stuff. Performance fixes are 
always a welcome enhancement, 
for example. One of my favorite 
new features is the improved 
debugging support, where you 
can attach to a Java process with- 
out having to specify different 
command line flags to enable 
debugging," said Suleiman. 
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Pirates and copyright flouters will find that their favorite tool, 
Limewire, looks more like other Windows applications when 
running under Java SE 6. 



Another developer who has 
toyed with Java SE 6 is Sam 
Berlin, a senior developer at 
Limewire. His company pro- 
duces the infamous peer-to-peer 
networking platform of the same 
name, which runs on the Gnutel- 
la network. While Limewire is 
typically used to illegally trade 
movies, music and software 
online, it's also a massively com- 
plex Java desktop application. As 
such, Berlin finds the new Swing 
support to be of real importance. 

"The thing that really got me 
was the anti-aliasing of text. 
When you run Limewire and you 
have other native Windows appli- 
cations running alongside older 
versions of Java, the native apps 
look really pretty if you have a flat 
panel monitor, but the Java appli- 
cation didn't," said Berlin. 



'GRAY BOXES' GONE 

Barry Burd, professor of mathematics 
and computer science at Drew Universi- 
ty, also has been following the Java SE 6 
development process. He pointed out 
the newly refocused Swing implementa- 
tion as a primary reason for upgrading to 
the new Java. 



"In terms of GUI rendering, it's so 
much better," said Burd. "Until now, 
Swing applications didn't look like appli- 
cations; they looked like gray boxes. The 
gray box problem made them so inconve- 
nient to use, you just wanted to throw the 
whole thing out the window and go write 
native applications. Now they look just as 
good as native programs." 
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BENEFIT OR BLOAT? 

Burd's favorite addition to the platform, 
meanwhile, is one that many developers 
have questioned: the inclusion of the 
Derby Java database. "Many people in 
the real world think that [Java SE 6] is 
bloated — that the download is too large. 
They're complaining about the fact that 
everything that's been deprecated hasn't 
actually been taken out, except for the 
MIDI support," said Burd. 

"But, as an educator, I find it fantas- 
tic that this is in there," added Burd. 
"This means there's a standard database 
in there that I can use with ease in my 
database work. I don't have to worry 



about the 5,000 other features available 
in different databases. Anybody in the 
corporate world will say, 'There's diversi- 
ty out there; we don't want to use this 
generic least common denominator.' But 
for my money, in explaining Java and 
how databases work, I find it incredibly 
useful to have a standardized database 
that does what I need it to do, and that I 
can talk about it in Java terms." 

Burd also pointed to the inclusion of 
scripting support, compiler access and 
pluggable annotations as beneficial steps 
toward making Java an environment that 
can handle both type-safe and dynami- 
cally typed development. 

But there are some sore spots in Java 
SE 6. Suleiman pointed out that he was 
still unsure of the Web services additions 
to the platform. "It feels too much like try- 
ing to play catch-up with Microsoft, and 
attempting to make Web services more 
'native' by sucking [them] into the core 
platform. I'm not convinced this is so vital. 
It also makes adding in third-party imple- 
mentations trickier," said Suleiman. 

Burd, too, has his reservations about the 
new release but felt that it was a general 
improvement overall. "This is not as sexy a 
release as Java SE 5. There aren't any new 
language features. There tends to be this 
nice robustness buildup from one release 
to another. This feels very sturdy, and since 
it was a more conservative update than 
Java 5, it probably is more sturdy, though 
it's still too early to say," said Burd. 

Berlin agreed. "They had gotten the 
base work of making it better for devel- 
opers done. Now they're just making it 
better for people." I 



TeamCity Enters Visual Studio 

Version 1.2 adds Visual SourceSafe support 



BY ALEX HANDY 

JetBrains, the flying craniums responsi- 
ble for the IntelliJ IDEA integrated 
development environment, has updated 
its team and build management soft- 
ware. TeamCity 1.2 adds Visual Studio 
integrations for both versions 2005 and 
6.0 of Microsoft's IDE. These additions 
bring TeamCity into the .NET world for 
the first time. 

Sergey Dmitriev is JetBrains' CEO, 
and he said that TeamCity 1.2 allows 
.NET developers to use the product for 
the first time. This comes through the 
addition of Visual Studio plug-ins and 
support for Visual SourceSafe, Micro- 
soft's code repositoiy. 

"TeamCity is intended as a cross-plat- 
form tool to support development teams 
working on both Java and .NET frame- 
works," Dmitriev said. "The cross-plat- 
form objective was a real challenge for 
our engineers. The initial set of produc- 
tivity features focused on supporting 



Java-based projects — that is why deliver- 
ing new features for .NET teams makes 
us feel that we are approaching the 
desired balance." 

TeamCity now supports both Java 
and .NET development and build man- 
agement. At its heart, the software 
allows development managers to coordi- 
nate nightly builds and tests, and to raise 
coding standards. The software will also 
attempt to lock out developers whose 
code does not pass initial tests, thus forc- 
ing coders to adhere to standards under 
penalty of lockout. 

The new version of TeamCity also 
includes multiple bug fixes and cleanups 
left over from previous releases. Also 
added is the ability to run open stack 
traces inside Visual Studio. 

The update to version 1.2 of TeamCity 
is free to those who've already purchased 
the product, or received it in bundles with 
other JetBrains software. Otherwise, the 
platform costs US$199 per user. I 
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Modeling Is Key to 

Behavioral and structural views make for 



BY P. J. CONNOLLY 

Modeling an application is more than 
just creating a flow chart. Model Driven 
Architecture (MDA) is a scheme in 
which fundamental concepts are 
abstracted away from incidental meth- 
ods, for easier understanding and, hope- 
fully, process improvement. As Telelogic 
chief evangelist Bruce Powel Douglass 
noted, "The key principle behind MDA 
is the separation of the essential charac- 
teristics from the things that change." 

Douglass, a former co-chair of Object 
Management Group's Real-Time Analy- 
sis and Design Working Group and the 
author of several books on developing 
real-time systems using modeling tech- 
niques, has recently been espousing the 
benefits of C programming in a graphi- 
cal way. Telelogic in early January 
released Modeler, a free, entry-level 
modeling environment that can be used 
to create embedded systems. 

Douglass explained that "[models] 
improve your ability to visualize char- 
acteristics of your system. In 5 million 
lines of source code, where are your 
threads? Who creates them, who 
destroys them, where do they run, 
when do they run? What are the 
resources the threads share and how 
are they managed?" 

The advantage, as Douglass put it, is 
that "I can visualize things better; I can 
more easily see what's going on." This 
doesn't always make the customer hap- 
py, he conceded. "A lot of people have 
found that once they can see the archi- 
tecture of the system, they say, 'What 
was I thinking?' " Communication, con- 
sistency and provability are the obvious 
byproducts of a model-driven develop- 
ment culture, according to Douglass. 

He likened the development of an 
application to the construction of a 




Everyone has a limit to the amount of source 
code they can sight-read, says Douglass. 

building, arguing, "I don't have one pic- 
ture with every detail of that building on 
it. I have blueprints that emphasize 
structural members; I have blueprints 
that emphasize water conduits, electri- 
cal management, heating management, 
different views that support different 
questions." Class diagrams, sequence 
diagrams and state machines can be 
seen as analogous to the electrical, 
HVAC and plumbing diagrams of a 
physical structure. 

"What we've done in [our] graphical 
C environment," Douglass noted, "is 
we've identified eight functional, or 
operational, views. First is the use case 
diagram — that's a way of representing 
requirements... and clustering require- 
ments into usable, coherent units. 

"Then," he continued, "there's a set 
of [four] structural views. A build dia- 
gram basically shows the things you're 
going to construct. For example, you'll 



Xilinx Accelerates FPGA Design 



BY P. J. CONNOLLY 

Xilinx updated its Integrated Software 
Environment (ISE) last month by 
including new compiler features that the 
company claims can cut runtimes to 
one-sixth of what they previously were. 
ISE 9.1i also addresses the require- 
ments of power-sensitive applications, 
reducing dynamic power consumption 
by an average of 10 percent, according 
to Xilinx. 

The new SmartCompile technology 
allows field-programmable gate array 
(FPGA) designers to partition the 
design, and uses cut-and-paste features 
to preserve the placement and routing of 
unchanged portions of the design. That, 
the company says, reduces the time it 
takes to implement the design changes. 



Likewise, the compilers SmartGuide 
reduces reimplementation time signifi- 
cantly by using prior implementation 
results where appropriate. 

Also new to the ISE compiler is the 
SmartPreview feature, which allows 
developers to evaluate their designs as a 
series of stages. By allowing users to 
pause and resume the process of placing 
and routing to collect results, Smart- 
Preview lets its users make important 
trade-off decisions based on intermedi- 
ate results of routing and timing. 

An expanded timing closure environ- 
ment allows designers to cross-probe 
between constraint entry, timing analy- 
sis, floor-planning and report views, for 
more effective analysis of timing prob- 
lems. The timing closure in ISE 9.1i 
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Software Success 

better code, claims evangelist Douglass 



have a database, you'll have some DLLs, 
an executable, and you want to repre- 
sent the set of these built things that 
you're going to wire together in the actu- 
al application, which might be distrib- 
uted across processors, or threads, 
maybe all running in one thread. 

"A call graph shows how I'm going to 
have these things called functions and 
provides a sequence in which it can call 
other functions, as well as things that get 
passed as variables, as parameters, 
amongst those things. [It] represents a 
sequenced set of function calls for your 
system," Douglass explained. 

"Another one is the file diagram," he 
said, which represents .c and .h files, and 
their features, including "the functions, 
the types and the variables they contain. 
Well, I can represent those with boxes 
showing one compartment for the vari- 
ables, one compartment for the functions 
and one for the types. I can show how 
they relate to other [files] , in terms of 'Do 
they have a header-include, or is it a 
source-include?' I can show whatever the 
level of detail I need on a file diagram. 

"The last of the structural views," 
Douglass continued, "is, of course, 
source code. It's always available to me, 
and if I need to look at it, I can go there." 

Douglass went on to outline three 



behavioral views of software. "Message 
diagrams basically show messages 
among these file elements, as they 
invoke services and pass data. These 
invocations can either be synchronous, 
as in just a regular call, or they can be 
asynchronous, in terms of I'm sending 
an event, which is queued and 
processed. So, I can represent both 
those kinds of 'thread rendezvous,' if 
you will." 

He continued, "A state diagram, I can 
take for a file as a combination of func- 
tions, types and variables. What a state 
diagram does is, it says in what order can 
those services be invoked. [For exam- 
ple,] I might not want to take an aircraft 
on an approach vector unless my landing 
gear is down. I can enforce certain pre- 
conditions in a state machine." 

Last, Douglass said, "we have flow 
charts, which represent algorithms. In 
UML, we have something similar, called 
an 'activity diagram,' which is like a flow 
chart on steroids." 

Although some code jockeys will 
always scoff at the use of modeling, he 
observed, everyone has a limit to the 
amount of source code that they can sight- 
read. "No matter how smart you are, 
there's a system too complicated for you 
to grasp," he noted. I 



Green Hills FAT-tens Up Its RTOS 



BY P. J. CONNOLLY 

Green Hills Software released an update 
to its micro-velOSity royalty-free real- 
time operating system last month, with 
new features designed to eke out opti- 
mum performance while minimizing the 
system footprint. micro-velOSity 2.2 also 
adds support for MIPS32 processors, 
aiming at the system-on-a-chip market. 

offers improved timing correlation 
between synthesis and placement, com- 
bined with enhanced physical synthesis, 
for more accurate results. 

The new ISE takes advantage of 
Xilinx's latest 65nm Virtex-5 platform 
and the associated diagonally symmetric 
ExpressFabric design to provide what 
the company claims is a 30 percent 
improvement in performance when 
compared with competitors' products. 

The increasing numbers of FPGA 
designers that have adopted source code 
control will appreciate the way that ISE 
9.1i identifies the files needed to recre- 
ate the results for a particular series of 
tests. A Tel console allows developers to 
easily move between the ISE graphical 
interface and the command line. All ver- 
sions of ISE 9.1i run on Red Hat Enter- 
prise Linux 3 and 4, and Microsoft Win- 
dows 2000 and XP Professional. I 



The new version of Green Hills' 
RTOS includes a FAT-compatible file 
system, micro-File, that can be used with 
a variety of programming interfaces and 
media. C standard I/O and C++ I/O 
streams are supported along with POSIX. 
The flash device manager features wear- 
leveling technology that reduces the 
effect of repeated erasures and writes on 
flash memory, which will degrade after a 
number of write/erase cycles. 

A USR device management system 
is also part of the micro-velOSity 
update; micro-USR includes an API 
and a framework for managing USR 
1.1 and 2.0 devices. It allows the use of 
a wide variety of device types, includ- 
ing USR memory sticks. 

Another new feature of micro- 
velOSity 2.2 is GHNet, a TCP/IP net- 
working suite that was designed from 
the ground up to provide comprehen- 
sive RFC and standards-based support 
for a wide range of core management 
and transport protocols. 

Ry adding MIPS to the list of sup- 
ported processors, the company can 
now claim to support all major 32-bit 
processors used in embedded devices. 
The company already supported the 
ARM, Rlackfin, ColdFire and Power 
Architecture families. I 
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Web 2.o*ATAX 
create more places 
**''* ^attacks to 
gain entry 



They used to talk about buffer over- 
flows, cross-site scripting errors 
and SQL injections. But today talk 
from application security tool makers is 
all about AJAX and Web 2.0. 

If the shifting conversation is any 
indication, the old threats — essentially 
techniques hackers use to attack applica- 
tions — are a thing of the past, replaced 
by new types of attacks, unique to AJAX 
(Asynchronous JavaScript and XML) 
and Web 2.0. 

But nothing could be further from 
the truth, according to application secu- 
rity tool makers. The old threats are 
alive and well, and the newer technolo- 
gies have not given rise to fundamental- 
ly new types of attacks. But three key 
factors are changing the application 
security landscape, steering the conver- 
sation in a new, bigger-picture direction. 

First, like other tool makers, those 



that sell application security offerings 
are eager to reposition their tools around 
the current hot technologies, leading to 
"a lot of chatter around AJAX and Web 
2.0," said Ed Adams, president and 
CEO of software security consultancy 
Security Innovation. "They are the latest 
and greatest technologies." 

Second, the application security mar- 
ket, relatively unknown only a few years 
ago, is moving out of its earliest phase. 
And rather than focus on highly techni- 
cal details pertaining to SQL injections 
and cross-site scripting errors, for exam- 
ple, tool makers are emphasizing the 
root cause of these flaws: the need to 
validate input to Web applications. 

"We need to stop chasing the vulner- 
abilities one by one," said Danny Allan, 
strategic research analyst for Watchfire, 
which sells application security tools, 
among other offerings. 

Theresa Lanowitz, who heads 
research firm Voke, agreed. But she also 



pointed out that app security tool mak- 
ers are emphasizing the big picture in 
order to better position their offerings to 
business decision makers. "The CIO 
does not want to [listen to you] talk 
about buffer overflows. If you do, he'll 
send you to development." 

The third, and most important, rea- 
son the app security conversation is 
changing is that AJAX and Web 2.0 have 
in fact made Web applications more vul- 
nerable, most of the tool makers agreed. 
By definition, both technologies are 
highly responsive to the user, and that 
has created a "bigger attack surface," 
said Bryan Sullivan, a development 
manager for application security tool 
maker SPI Dynamics. In the past, when 
applications accepted input through a 
single form, "there was one door to 
secure. But with AJAX and Web 2.0, 
there are many, many more [entry 
points]." And each represents an open- 
ing a hacker could exploit, he said. 



"Think about a bank, versus a shopping 
mall. There's one door for the bank, but 
hundreds of doors for the shopping mall. 
And they all have to be guarded." 

NEW, LESS SECURE LANDSCAPE 

The emergence of more openings to 
exploit has indeed increased concern 
about Web application security, said Bri- 
an Chess, chief scientist and founder of 
Fortify Software, which sells application 
security tools. "But while the newer 
technologies change the security land- 
scape, they don't change any of the fun- 
damentals of making applications more 
secure," he said. "AJAX and Web 2.0 are 
simply magnifying the complexity of 
applications." 

With AJAX, there are just more 
aspects of a Web application that can be 
compromised, said Billy Hoffman, a lead 
researcher at SPI Dynamics, and co- 
author with Sullivan of "AJAX Security," 
continued on page 36 ► 



36 



SPECIAL REPORT 



. Software Development Times . February 1, 2007 . 



www.sdtimes.com 



New Web 2.0 Technologies Creating Gaps 



-4 continued from page 35 

a book expected from Addison- 
Wesley this summer. "If you 
analyze only the server code, 
you have ignored half of the 
app," he said. "You have to 
[test] the client, where Java- 



Script does the processing 
work, and you have to analyze 
how those two pieces interact." 
A key issue to take into 
account is how the app handles 
authentication, said Chris 
Wysopal, co-founder and CTO of 



Veracode, an application security 
startup expected to open its 
doors for business this month. 
"Applications are typically vali- 
dated for input on the client side. 
If everything is OK, the input is 
sent to the server. But apps aren't 



validated again on the server." 

That approach doesn't make 
sense with AJAX. It could lead 
to an exploit where a hacker 
gets the client to make a call to 
the server that says, "Clone 
this Java object," said Wysopal, 
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offering an example. "All those 
Java objects could bring the 
server down." 

What complicates matters 
with AJAX is that so much is 
going on behind the scenes, 
making it easy to overlook 
potential openings. 

"AJAX apps are devilishly 
difficult to QA," said SPI 
Dynamics' Hoffman, referring 
to the quality assurance testing 
process. "Say you have a map of 
the 50 states, where holding the 
mouse over each state lets you 
see data," he said, offering an 
example. "If you look under the 
covers, you will see each state 
represents a request. You have 
to test every single one. If I 
send XX to California, will it 
break?" The possibilities for 
attack are infinite, he added. 

The "under the covers" 
aspect of AJAX apps has led 
some to dispute the notion that 
AJAX apps have an inherently 
bigger attack surface. "Re- 
quests are happening, and you 
may not know it," said Ryan 
Rerg, chief scientist and co- 
founder of app security tool 
maker Ounce Labs. Rut that 
doesn't mean AJAX apps have 
an inherently larger attack sur- 
face, he said. "We try to de- 
mystify AJAX, but it's regular 
JavaScript." 

Jeremiah Grossman, CTO 
for WhiteHat Security, a Web 
application security services 
provider, agreed. "I don't think 
AJAX changes the security 
landscape at all," he said. "It's a 
client-side set of technologies 
and a cool, new buzzword. It 
doesn't change how vulnerable 
a Web site might be." 

THREATS BEYOND AJAX 

In some respects, the security 
threats AJAX presents are simi- 
lar to those around service-ori- 
ented architectures, noted For- 
tify's Chess. "Roth reflect the 
growing complexity of software 
we are working with. With 
SOA, instead of client and serv- 
er talking to each other, you 
have Web services talking to 
each other. A SOA-based bank 
application might include, for 
example, one Web service for 
accessing a checking account, 
another for managing a credit 
card account and another for 
authorizing access to the appli- 
cation, he said. "With a tradi- 
tional application, the sequence 
was a given [that] you had to log 
continued on page 37 ► 
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< continued from page 36 

in and go through the autho- 
rization process before you 
could access your bank bal- 
ance." But with SOA, those 
events can occvir out of 
sequence, and that brings with 



WHAT WILL IT 
TAKE FOR APP 
SECURITY TO 
TAKE OFF? 



From credit card privacy pit- 
falls to news reports about 
Social Security leaks, evi- 
dence of unsecured applica- 
tions abounds. 

But despite the steady 
stream of news — and the 
growing number of compa- 
nies peddling offerings for 
building software that can 
withstand attack— the mar- 
ket for application security is 
yet to take off dramatically. 

An estimated 85 percent 
of IT organizations are still in 
"tire-kicking mode" when it 
comes to buying application 
security tools, said Voke ana- 
lyst Theresa Lanowitz. 

Things are pretty guiet on 
the acguisition front. Watch- 
fire bought Sanctum in 2004, 
and Fortify Software last 
month announced a plan to 
acguire Secure Software, but 
"we haven't seen Mercury, 
Compuware, IBM Rational or 
Microsoft make a bold play," 
she said. 

Lanowitz does not expect 
that the application security 
market will take off until one 
of the top application life- 
cycle management (ALM) 
tool makers buys an applica- 
tion security company. 

Three things are holding 
the big ALM players back, she 
said. First, their customers 
aren't demanding application 
security tools. Second, the 
acguisition price of compa- 
nies that make such tools is 
still high. Third, application 
security software remains a 
pretty technical play, and as 
of yet it hasn't hit the radar 
screen of the CIO and line-of- 
business managers, she said. 

Beyond a big ALM player 
taking the lead, only one 
thing could get that market 
off the ground, Lanowitz said. 
"A catastrophe so big the 
business pays attention." 

—Jennifer deJong 



it new security concerns, he 
said. 

Newer still are the security 
concerns ushered in by Web 
2.0, a concept that views the 
World Wide Web as not just a 
collection of sites, bvit also as a 



platform with which users 
interact. "Users are contribut- 
ing to the Web's collective intel- 
ligence, and that creates a new 
attack vector," said Mike Wei- 
der, founder and CTO of 
Watchfire. "How do I make 



sure [their contributions are] 
not malicious?" That is a new 
challenge: Web sites must test 
their own apps, and also make 
sure user contributions are 
secure, he said. "There aren't 
any automated tools to do that. 



The company creating the Web 
site is left to filter the content." 
Another potential opening 
brought about by Web 2.0 is so- 
called mashups, Web applica- 
tions that automatically corn- 
continued on page 38 ► 
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■* continued from page 37 

bine content from more than one source, 
by making publicly available information 
about how to access them. "They offer a 
blueprint of how to interact with them," 
said SPI Dynamics' Sullivan. "But a 
hacker will say, 'OK, this is the proper 
way to do things. I will do the opposite,' " 
he said. "When you tell people how 
to talk directly to your back-end systems, 
you are telling them how to attack you." 

A MORE SOPHISTICATED STORY 

As developers, testers and application 
security tool makers work to plug holes 



opened by AJAX and other Web 2.0 
technologies, one thing is clear: Tool 
makers aren't likely to resort to talking 
about SQL injections and cross-site 
scripting errors. 

It's a good thing the conversation has 
moved away from individual attacks, 
said Fortify's Chess. "More people are 
thinking about the fact that these 
attacks are not isolated [incidents]. And 
that leads people to plan — not just 
react," he said. "We need to educate 
programmers, verify that mistakes 
were found, and think a little more 
holistically." I 



MASHUPS: THE NEXT BREACH? 



As a cool, Web 2.0 technology, mashups are getting a lot of ink. But not so much 
has been said about the application security concerns that may come with them. 

It's not that mashups — applications created by merging information from multi- 
ple online sources — are inherently insecure. The problem is that they bring togeth- 
er from disparate sources components that fall outside of the mashup developer's 
control. Mashups offer a guick way to build powerful applications without having to 
write them from scratch, said Chris Wysopal, co-founder and CTO of application 
security startup Veracode. "But you are building applications with components you 
can't manage. You can't do security on them." 

That issue must be addressed if mashups are to make their way in the enterprise 
application arena. "The industry needs to come up with a means to show that com- 
ponents used in mashups are secure," he said. "We are moving away from a world 
where I could test the entire app, even if I bought code from outside sources," he 
said. "With mashups, that is going away." — Jennifer deJong 
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Hackistan leader shakes 
confidence of I.T. world. 

Conventional firewalls unable to withstand expected onslaught. 



The conclusions of the Hackistan Study 
Group (HSG) offer an alarming assess- 
ment of the hacking threats posed by 
this rogue nation. 
Hackistan has toyed with security profes- 
sionals ever since a state-sponsored team of 
digital terrorists hacked into the FAA database 
and put Harry Truman on a no-fly list. But the 
situation is worsening, as the report cites "an 
alarming investment in Hackistan's elite Bot 
Army." It noted that "the growing sophistication 
of their logic bombs, Trojans and SQL injection 
techniques is gravely disturbing." 

Many are banking on California-based 
Fortify Software, a leader in software security, to 
neutralize these threats. Commenting on Fortify's 
groundbreaking approach, the report said that 
"protecting applications at the code level is 
increasingly being viewed as the only viable path 
to creating confidence in a very dangerous world." 
Contacted at Fortify's global headquarters, 



John M. Jack, the company's CEO, was 
undaunted by Hackistan's bluster, 
commenting that "true, for the rest of 
the security industry they are a devas- 
tating threat. For us, they're amateurs 
who couldn't break into my daughter's 
Kevin Federline lunch box." He added 



"We are able to identify and fix vulnerabilities 
throughout the entire development process. We 
anticipate that frustrated hackers, hungry and 
broke, will have to move back in with their 
parents in record numbers." 

No Hackistan official was available for com- 
ment, but a blog post that is believed to come 
from a senior Hackistan official (or even 
Lifetime Despot Zorkul himself) mocked the 
security efforts of government and industry, 
saying that "the chances of the world getting 
serious about code security are about as likely as 
John Jack waking up with a full head of hair." 



"The study group warned against 
pro-Hackistan propaganda that appears on 
web sites like www.discoverhackistan.com." 




Lifetime Despot Zorkul 
of Hackistan 



CEO Jack fired back: "I have ultimate 
confidence that our products Fortify SCA, 
Fortify Tracer and Fortify Defender will block 
Hackistan's nefarious plans. Zorkul's desperation 
is also apparent; he has chosen to attack me on 
the follicle level because they are powerless to 
reach us on the code level." 



Leading the fight against 

Hackistan is an innovative 

high-tech company called Fortify 

Software. The company said it will 

not rest until Hackistan is turned 

into a Club Med vacation spot. 




REPRINTED FROM GLOBAL SECURITY UPDATE, JANUARY 2007 • JOIN THE FIGHT AGAINST HACKISTAN • GO TO WWW.FORTIFYSOFTWARE.COM. 
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FROM THE EDITORS 

Java SE 6: Best Java Yet 

Sun has released version 6 of the Java Platform, Standard Edition, 
and the word on the street is that this is the best Java implementa- 
tion yet. And it should be. After all, this is the first version of Java that 
can produce attractive desktop applications, with all those incumbent 
animations, shadings and transparencies that make modern operating 
systems so sexy. While Sun loves to cite a 15 percent-to-20 percent 
speed increase in the JVM itself, the company isn't so vocal about its 
newfound love of native GUIs. Rather, Sun has calmly stated over the 
past year that Java SE 6 would produce the most beautiful integrated 
applications yet. 

It would certainly seem that Sun has delivered on its promise. So well, 
in fact, that Java SE 6 applications can barely be distinguished from their 
native counterparts. 

But there are other improvements in Java SE 6 that herald a bright 
future for the platform. The first of these is the important decision to 
throw MIDI support overboard. While insignificant in the grand JDK, 
MIDI support was a long-deemed useless aspect of the Java environ- 
ment, and the JCP's decision to remove it is one that sets an excellent 
precedent: Given enough time and lack of interest, even an environment 
that holds compatibility as its goal and mantra can find ways to remove 
unused code. 

Finally, the inclusion of the Derby Java database is a fantastic 
move. While no one will be erasing MySQL or Oracle installations in 
favor of Derby, it's a brilliant proving ground for developers who want 
a simple place to build database-driven experiments. If there is one 
area of development that is a consistent source of struggle and con- 
fusion, it's the database world. With dozens of database-specific APIs 
to choose from, it's convenient for developers and users alike to have 
a readily available data store that requires nothing more than Java's 
built-in faculties. 

App Security: Thinking Bigger 

With every step forward in software development, comes another 
hole that you can fall into. Rich Internet applications, such as 
those using AJAX or other "Web 2.0" techniques, offer to users undeni- 
able benefits as well as an attractive platform for the future. The loosely 
coupled and distributed architecture in this new model magnifies the 
complexity of applications tremendously, and provides new weak spots 
that miscreants can exploit with malicious software and overt attacks. It 
is important for development and test teams to receive the time, training 
and tools to address the security issues inherent in these new types of 
applications. 

However, it is also important not to overreact. According to experts, 
it's not an entirely new playing field. Specifically, existing threats — the 
types that your development and testing teams are already working to 
eliminate — are not going away. The biggest hazards remain bread-and- 
butter topics, like input validation. Security gurus love to get specific 
about particular exploits, such as buffer overflows, SQL injection or 
cross-site scripting. The nature of some of those exploits changes when 
dealing with AJAX or Web 2.0. But the big picture remains the same: 
authentication, authorization, validation. 

What's the cure? Ultimately, software architects, developers and tool 
makers will have to address the root causes of software security failures. 
The attack patterns will constantly change, not only with new integration 
technologies like Web 2.0 or service-oriented architectures, but also with 
changes in operating systems and application stacks. It's increasingly 
impossible to keep up with all the variations of each possible exploit on 
each platform combination. 

Only by thinking big, and addressing the root causes of application 
insecurity, will organizations take charge of application security. I 



LETTERS TO THE EDITOR 

Remember CUA?? 



I applaud Alan Zeichick's comments on 
CUA compliance ["Zeichick's Take: 
Remember CUA Compliance? Microsoft 
Doesn't," News on Thursday, Jan. 4]. I've 
been a software engineer for over 14 years 
and love my GUIs and IDEs (and the 
command-line too), but it's essential to be 
able to use the keyboard shortcuts instead 
of the mouse so I don't have to keep mov- 
ing my hand away from the keyboard. 

If someone doesn't follow CUA rules, 
I have to learn new keystrokes to get to 
standard functions that are common to 
all applications (like "open," "save," etc). 

Regarding the Ribbon and Microsoft's 
claim that users couldn't find the more 
obscure features of Office products — 
doesn't the word "obscure" tell them 
something?? The problem isn't that there 
are too many features, it's that they're now 
all visible in a huge confusing smorgasbord 
with the least-used right next to the most 
commonly used. I think if they would 
instead enforce CUA-compliant standard 
menus in combination with moving non- 
standard (app-specific) functions to a cus- 
tomizable ribbon, that would go a long way 
in helping both novice and seasoned users 
get the most from the applications. 

Clayton J. Jones 

Senior Software Engineer 

SafeNet Inc. 

BOOK IT 

I enjoyed Andrew Binstocks column on 
the various books available on Java pro- 
gramming ["Learning Java: What a 
Choice!" Jan. 1, page 44]. 

For a different, more modern take on 
how to learn Java, please take a look at 
"Agile Java: Crafting Code With Test- 
Driven Development." With this book, I 
purport to teach relatively new program- 
mers how to program in Java using TDD. 

Jeff Langr 

KEEP STUFF SAFE 

Yovir article on preserving scholarly jour- 
nals was very interesting ["Portico Takes 
on 100-Year Archive Dilemma," Dec. 15, 
page 1], We hope you might consider a 
very different perspective on this area — 
the LOCKSS (Lots of Copies Keep Stuff 
Safe) Program (www.lockss.org). 

Libraries, with publisher coopera- 
tion, are building and preserving digital 
collections — for themselves! Using the 
LOCKSS system, libraries are able to 
work together to continue their role as 
memory organizations in service to all 
the readers in their communities, rather 
than outsourcing [the job]. 

They don't require large-scale cen- 
tralized infrastructure; they don't 
require arcane expertise. That's last cen- 
tury's approach to information technol- 
ogy! Robust, distributed, fault-tolerant, 
peer-to-peer are the systems engineer- 
ing approaches of the 21st century. 

The LOCKSS technology has won 



awards for computer science research, 
and is used by projects in the Library of 
Congress' NDIIPP program. 

In addition, almost every major com- 
mercial publisher in the world is cooper- 
ating to use the LOCKSS software in an 
initiative called CLOCKSS (Controlled 
Lots of Copies Keep Stuff Safe). 
CLOCKSS is community-governed, and 
after a major disaster, the content will be 
available to everyone — not just those 
who are paying a third-party service. 
After all — there's been a disaster!! 

Victoria Reich 

Director, LOCKSS Program 

Stanford University Libraries 

DON'T KILL THE MANAGER 

Ryan Martens' Guest View, "Kill Your In- 
ventory Manager" [Dec. 1, page 42], 
makes some good points for why an agile 
process is beneficial, but doesn't make a 
very convincing case for why eliminating 
your "inventory manager" is relevant to 
succeeding with an agile process. 

The author suggests that developers 
can become a slave to the inventory, but 
never mentions the idea of a product 
manager, whose job it is to refine the 
inventory. Martens says, "Hidden in those 
[inventory] systems are very bad defects 
tied to technical debt, important require- 
ments and lots of partially completed 
items that are development complete, 
but not 'done' enough to release or test." 
This seems to be an argument against 
poorly conceived "sub-assemblies" (to 
continue the metaphor), rather than 
against inventory tracking. 

I'm just not getting how tire inventory 
management system itself is imposing a 
hindrance on the team. ..unless the author 
assumes that in any practical inventory 
system, the inventory items will devolve 
into a chaotic mix of well-planned new 
functionality and poorly conceived cruft 
buried under countless maintenance 
tasks, and thus the only way to rise above 
the chaos is to set up a parallel system. 
The assumption is that Post-it notes are 
easier to set up than a parallel tracking 
tool. But the software solution exists for a 
reason: It provides capabilities essential to 
closing the loop with QA and generally 
tracking the state of the product. 

I agree with the claimed benefits of an 
agile process. I just don't see how the 
existence or lack of existence of an inven- 
tory manager is key to the success of an 
agile process. In fact with one agile 
process, Scrum, inventory (backlog) is an 
essential component. You could pick any 
arbitrary aspect of a software develop- 
ment process that is being poorly man- 
aged and make similar claims. 

Tom Metro 

Letters to SD Times should include the writer's name, 
company affiliation and contact information. Letters 
become the property of BZ Media and may be edited. 
Send to feedback@bzmedia.com. 
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Tooling Up With CodeGear 



CodeGear, the tools company spun off 
from Borland Software, has got 
some people with great ideas. I hope 
they're able to pull them off. 

Recently, I drove across California 
Highway 17, a beautiful but traffic- 
infested road, over to Scotts Valley and 
"The House That Philippe Built," the 
giant campus created by legendary 
Borland leader Philippe 
Kahn. CodeGear occupies 
one of the building's six 
wings — a far cry from the 
days when Borland filled the 
space to overflowing. Today, 
all the Borland folk have left 
Scotts Valley; it's CodeGear 
country now. 

My hosts were two long- 
time tools gurus: David Inter- 
simone (better known as 
David I, the voice of the Delphi com- 
munity) and Michael Swindell, the new 
vice president of products. We had a 
wonderful time reminiscing about the 
good old days, the bad old days, and 
what lies ahead for CodeGear, which 
has been set up as a wholly owned sub- 
sidiary of Borland. 

One thing they both emphasized is 
that CodeGear is operating as an 
autonomous unit: As long as the spin- 
off hits its financial goals, it can do just 
about whatever it likes without running 




back to Tod Nielsen, Borland's CEO, 
for approval. That includes bringing 
back the old "Turbo" brand, for exam- 
ple, for low-priced (and free) tools 
intended for consultants, enthusiasts 
and students. It also includes working 
with companies other than Borland on 
technology development, joint market- 
ing and integration. 

We discussed, for exam- 
ple, the likelihood of part- 
nerships between CodeGear 
and Borland competitors in 
the application life-cycle 
management market, such as 
HP's Mercury division, or 
Serena or even IBM Ratio- 
i nal. According to Intersi- 
mone and Swindell, that's 
t -r i f entirely possible within 
*f" -^- Lj CodeGear's charter. Howev- 
er, that assumes that HP Mercury, Sere- 
na and IBM Rational would see a bene- 
fit from playing with CodeGear. Time 
will tell if that comes to pass. 

CodeGear's mission is very different 
from that oi Borland. Borland's goal is 
to sell high-end application life-cycle 
management software to corporate big- 
wigs: big sales of hundreds of seats cost- 
ing many thousands oi dollars. That 
places it in competition with the likes of 
Serena, IBM Rational and even 
Microsoft's Team System. The Borland 



message is about making the enterprise 
more competitive, reducing the costs 
and risks of software development and 
so on. The character of specific devel- 
oper-facing tools doesn't factor into it. 
As Swindell put it, "The CIO doesn't 
care about IDEs." 

However, developers care about 
IDEs, and so do development depart- 
ment managers. They're the people 
CodeGear wants to talk to. To its enter- 
prise customers, CodeGear's message 
will be about enhancing the productivity 
of individual developers and develop- 
ment teams. CodeGear will try to show 
that tools, such as JBuilder, Delphi and 
Interbase, will help programmers write 
better code more quickly, and collabo- 
rate more effectively. 

The enthusiasm and, well, freshness 
in CodeGear is palpable; it reminds me 
of the Borland of old (before Del Yocam 
took the reins back in 1996). Intersi- 
mone and Swindell were talking about 
developing new tools, such as for 
dynamic languages and for Web-based 
collaboration, and have a real vision, the 
sort of vision that Borland used to have 
before it started acquiring companies to 
build ever-more-expensive tool suites. 

If CodeGear has the funding and 
autonomy to bring that vision to 
fruition, it could succeed. I hope it 
does. I 

Alan Zeichick is editorial director of SD 
Times. Read his blog at ztrek.blogspot 
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Composite applications combine multiple information streams and 
Web services to permit a new degree of flexibility in application 
development. A November 2006 report from the Aberdeen Group 
concludes from a survey of "nearly 135" enterprises that, although an 
organization may not have a fully developed service-oriented archi- 
tecture (SOA), the emerging technologies are stable enough that 
companies have begun implementing composite applications anyhow. 
Improved user interfaces, platform consolidation and technology 
replacement were all identified as objectives of a significant number 
of Aberdeen's respondents. Simplified integration was the desired 



outcome of 3 in 5 respondents. 

The authors of "How SOA Standards Are Accelerating Business 
Change" concluded that the level of staff experience is an important 
factor in the success of a composite application, as is the willingness 
to abandon efforts and tools that don't meet the needs of users and 
developers. They also noted that the testing and deployment stages 
still represented a challenge to organizations that were surveyed for 
the report, implying "process immaturity" and the challenges present- 
ed by the complexity reguired to deliver a polished Web experience. 
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Estimating the Known Unknowns 



Those marching under the agile ban- 
ner, not satisfied with their routing of 
requirements documents, their conver- 
sion of the unit testers and their reduc- 
tion of the CASE battlements, and yet 
recognizing that the ground has not yet 
been prepared for battle that shall forev- 
er decide the role of Pair Programming 
(aka Ragnarok), have apparently decided 
that cost and schedule estimation shall 
be the next to fall. I think they overreach. 
It is possible to speak, with certainty, 
about dates, capacities, costs and 
staffing. It is possible to develop a budget 
that extends over several quarters, to 
deliver before some crucial date, and to 
assign programmers to a project in a way 
that keeps them busy but not crushed. 

Reasonably accurate estimates, 
though, have three problems: They often 
fall short of the dreams of management, 
they require diligence to produce, and 
they invariably contain caveats whose vio- 
lation will (invariably) increase costs and 
effort. There are easy answers for each of 
these problems: Lie to appease manage- 
ment, cut corners on the estimation 
process because everyone knows it won't 
work anyway, and keep your resume 
updated. These easy answers perpetuate 
the myth that accurate estimates are not 
just difficult, but impossible to produce. 



"[Rather than spend time developing 
an accurate estimate,] wouldn't it be bet- 
ter," I was asked by a prominent Agilista, 
"delivering working software on a regular 
basis?" The phrase "working software on 
a regular basis" is one of the favorite 
canards of agile fanatics, glossing over 
the definition of "working" and "regular." 

To management, "working 
software" means a system that | 
performs a significant business 
function in coordination with 
existing systems. It doesn't 
mean "compiles" or "passes 
the unit tests we wrote." To 
management, it isn't working 
until widgets can be ordered 
online, tracked through fulfill- 
ment and billed. You and I 
might see that as three differ- 
ent systems that can be developed incre- 
mentally, but developing and tracking 
software using "inch-pebbles" rather than 
"mile-stones" is hardly a 21st century 
innovation. As for "regular" delivery, the 
clocks of the business world tick to the 
pendulums of quarters and years, and the 
idea of deploying new software every 
month is a "benefit" that most companies 
would just as well forgo. 

Perhaps the greatest reason that soft- 
ware estimation is held in low esteem is 




that it requires diligence. Like the C pro- 
gramming language, software estimation 
works but is not forgiving of laziness. 
Eveiy good estimation technique I know 
of requires multiple passes over the 
source material, pushing down to an 
uncomfortable level of detail, rooting out 
ambiguity, facing uncomfortable truths 
about programmer productiv- 
ity, and so forth. When such 
details are skipped, what you 
have is gut instinct dressed up 
in enough finery to pass for an 
estimate, but no more likely 
to be helpful than a C pro- 
gram that skips over memory 
management. 

I happen to use my own 
variation of function point 
counting, but all more formal 
estimation techniques are essentially the 
same: Estimate the system's "volume" by 
scouring the use cases and looking for 
alternate scenarios. As you gather pieces, 
categorize their complexity and, if that's 
intractable or ambiguous, dig deeper. Per- 
fect requirements, another mythical enti- 
ty, are not necessary, but a screen count is. 
As the "known knowns" and "known 
unknowns" accumulate, a spreadsheet or 
algorithm raises the volume by some 
exponent significantly greater than 1. 



Software estimation requires technical 
expertise and an understanding oi imple- 
mentation at least good enough to be a 
solid bull detector. Programmers are an 
optimistic lot and, having said something 
would go quickly, are loathe to backpedal 
at their first glimpse of a pitfall. 

Most new systems are far more modu- 
larized than systems of old and therefore 
can be developed at higher rates than the 
averages you might find by casual 
Googling. A system built of 10 interoper- 
ating services, each a few thousand lines 
of code long, can be built significantly 
faster than a monolithic system with the 
same line count, a key benefit of service- 
oriented architectures. 

Will requirements change? Yes. Will 
aspects be hairier than they appeared 
initially? Sure. Reversed decisions, long 
nights, devastating last-minute require- 
ments changes, missed deadlines? If you 
have to ask, you haven't been in the soft- 
ware development business very long. 
But more formal software estimation 
techniques can give you a solid probabil- 
ity-based view of what can be accom- 
plished in a year or 18 months and can 
give you a solid foundation for dealing 
with the problems as they arise. It might 
not be the Utopia the extremists envi- 
sion, but it is good business. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer. Read his blog at 
www. knowing, net. 
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HELP WANTED 



WINDOWS/WEB DEVELOPER 

BZ Media, a fast-growing media company based on the North Shore of Long Island, is look- 
ing for a full-time programmer to help design, build, support and maintain Windows Server, 
ASP.NET and Share Point Server applications. 

The successful candidate will have at least two 
years' professional experience designing and devel- 
oping for Windows Server, with an emphasis on .NET 
development using C# and Visual Studio, as well as 
ASP.NET Web site development and ADO.NET data in- 
tegration. Experience with XML Web services, SQL 
Server and Share Point Server is preferred. 

The candidate must have strong communication 
skills, be well organized, and be able to work with a 
team in a multi-project, deadline-driven environment. 
The candidate must also be very detail-oriented and focused on quality, able to conform to 
house style rules and standards, and able to work quickly to bring products to completion. 

This full-time position is based in BZ Media's Huntington, N.Y., headquarters office, and 
the candidate must live within easy commuting range of the office. 
Only full-time candidates who live near Huntington will 
be considered. 

Send resume and salary history to BZ Media Human 
Resources, hr@bzmedia.com. BZ Media offers health 
benefits, vacations, a 401(k) plan and a four-week sab- 
batical every five years. BZ Media is an equal opportuni- 
ty employer. No calls, please. 





www.bzmedia.com 
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Vinton G. Cerf 

Vice President and Chief li 
Google 


Amy Wu 

nternet Evangelist Computer Science Student 
Stanford University 


Benjamin Mako Hill 

Research Assistant 
MIT Media Laboratory 


Maria Klawe 

President 

Harvey Mudd College 



ACM: KNOWLEDGE, COLLABORATION & INNOVATION IN COMPUTING 



Uniting the world's computing professionals, 
researchers and educators to inspire dialogue, 
share resources and address the computing 
field's challenges in the 21st Century. 




Association for Computing Machinery 

Advancing Computing as a Science & Profession 
www.acm.org/learnmore 
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Feeling Groovy at Last 



After many delays, the Java scripting 
language Groovy is finally shipping. 
The 1.0 release became official the first 
working day of this year, and it promises 
to bring lots of good things to many a 
Java developer. 

Groovy is a dynamic scripting lan- 
guage that was purpose-built for the Java 
platform. By this I mean that it is not the 
port of another idiom (in the Jython, 
JRuby mold), but a language that was 
designed for the JVM and specifically 
for use by Java developers. The goal — 
which appears to have been met — was to 
provide a simplified syntax for much of 
Java's notoriously wordy code. 

Groovy does away with the tedious- 
ness via lots of syntactic sugar that 
makes Java development really a plea- 
sure. For example, when you define a 
class, Groovy automatically creates 
default getters and setters for fields. 
Lists and maps — Java's most overused 
collections — are first-class members of 
the language. You declare and load them 
with values in a single concise statement 
akin to Java's syntax for arrays. 

Groovy also offers closures, which are 
a technique made famous by Ruby. Clo- 
sures have many definitions, and a 
rather dull meme in programming lan- 
guage blogs these days is arguing over 



what constitutes a closure. Putting aside 
the academics' sparring, closures are 
essentially anonymous blocks of code 
that are easily attached to a statement or 
function. They make it simple to specify 
an action without having to define a class 
and then a method. Instead, the actual 
code to be executed is stated inside 
parentheses and attached to 
another action. For example, 
a closure called find, let's say, 
can be attached to a collec- 
tion iterator to look for a spe- 
cific element. The closure 
contains only the equality 
statement to test for the 
desired element. Another 
one, called each, can be 
attached to indicate actions 
that should occur for every 
element in the collection. This design 
makes for concise code that is readily 
understandable. 

Groovy offers lots of other conve- 
nience features in areas where Java and 
other traditional languages tend to be 
weak, such as duck typing and special 
syntax to simplify common tasks like 
XML processing. 

Last year, I discussed my frustrating 
search for a good scripting language for 
Java. I ended up using NetRexx, which is 



Integration Watch 




an easy-to-learn and elegant language. 
However, it has not been updated in a 
long time and has nearly no community 
around it. These things matter, especial- 
ly once you get into serious coding. 
Groovy has all these items in place. 

For starters, it has an active communi- 
ty that responds quickly to queries and 
doesn't make newbies feel like 
they are unwashed ignoramus- 
es. This community has given 
Groovy many of the accou- 
trements needed by a robust 
language: plug-ins for most 
IDEs, including Eclipse, Jet- 
Brains IntelliJ IDEA and Net- 
Beans; JUnit support (in fact, 
some developers use Groovy 
especially for the ease of writ- 
ing JUnit tests on regular Java 
code); and a plug-in for Ant (called Gant). 
Moreover, Groovy integrates com- 
pletely with Java. You can call Java class- 
es and access Java objects natively. In 
the other direction, you can embed 
Groovy into Java apps easily. As a 
dynamic language, Groovy can be run 
from the command line either as an 
interpreter or through the usual compile 
process. The software and the basic docs 
are available as open source from 
groovy.codehaus.org. The definitive 



book on the language is Manning Press' 
excellent "Groovy in Action,'' which was 
written by several project leads. 

The language's long incubation has 
enabled Groovy-based projects to develop 
right along with it. One of these is Grails 
(formerly called Groovy on Rails), which 
provides a framework like Ruby on Rails 
for Java developers. It transparently uses 
Hibernate and has support for AJAX front 
ends, in addition to all the ease-of-use fea- 
tures of the Rails design. (A book on 
Grails development, "The Definitive 
Guide to Grails," has just been released 
by Apress.) 

There are many dynamic languages 
that run on the JVM. Groovy is unique in 
that it combines several features: It is 
purpose-designed for Java developers; it 
is supported by a JSR (JSR 241); it is sup- 
ported by several vendors such that the 
chief technical lead works full-time on 
the language; and it has a robust tool set 
and an active community. For these rea- 
sons, I think Groovy has legs and could 
well emerge as the primary scripting lan- 
guage for the JVM. 

I hope some of its features will rub off 
on the Java language itself, as Sun contin- 
ues to find ways to make Java program- 
ming easier. In the meantime, have a look 
at Groovy and tell me if you don't agree. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. Read his blog at 
binstock.blogspot.com. 
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Perking Up 



In what can hardly be classified as an 
upset, Google was named by Fortune 
magazine as the best place to work in 
America for 2007. Immediately, thoughts 
ran to the 11 gourmet restaurants locat- 
ed on its Mountain View, Calif., campus, 
the pool room (literally, a room with a lap 
pool), rock-climbing wall, and free car 
washes and oil changes. Did I mention 
free on-site medical care? 

Sure, it's easy to give perks 
when your stock price is 
more than US$450 per share 
and you're the hot new dar- 
ling of both Wall Street and 
Silicon Valley. 

But do perks alone define 
the best place to work? A lot 
of people sure think so. I 
remember, back in the 1970s, 
when Computer Associates 
opened its Long Island office in Islandia, 
N.Y. — a town that no one who lived 
there even knew existed. Newspaper 
articles of the day described a new kind 
of company that offered free child care, 
free breakfasts and lunches and mandat- 
ed an exercise period to help relieve 
stress and keep the body and mind 
sharp. At the time, these were thought 
to be unusual business and management 
practices brought from the Orient by 
company founder Charles Wang. And 
everyone thought, "Wow, what a great 
place to work!" 

Unfortunately, CA has been in the 
spotlight lately for reasons other than its 
great perks. Folks still are talking about 



round after round of layoffs and finan- 
cial scandals that continue to dog the 
software giant — in mid-January, former 
chief counsel Steve Woghin was sen- 
tenced to two years in jail for his role in 
the US$2.2 billion fraud. 

And as we saw during the dot-com 
era, companies were outdoing them- 
selves with perks and financial incen- 
tives to attract talented, 
skilled and motivated work- 
ers — sailing club member- 
ships, massage therapy, pet 
health insurance and much 
more. But when the bubble 
burst, many — nay, most — of 
those companies went belly- 
up, and those same talented 
workers were thrown into 
unemployment — motivated 
now by finding a new job. So, 
ultimately, how good could those com- 
panies have been to work for? 

What about pay? Does that make a 
job better than any other? Again, a lot of 
people think so, only to be caught in a 
salary trap that holds them in a place 
that is not professionally rewarding, or 
that is on an unstable foundation, or 
where their co-workers show up simply 
to pick up a check. 

Behind the Fortune list is the Great 
Place to Work Institute (no, I'm not mak- 
ing that up), which explained that while 
perks and salaries are hugely important to 
workers, as much emphasis in the rank- 
ings was placed on trust, pride and cama- 
raderie. A great place to work, they say, is 
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one where workers "trust the people they 
work for, have pride in what they do, and 
enjoy the people they work with." 

The institute's Web site goes on to 
say that it's the relationships that deter- 
mine whether or not a company is a 
great place to work — the relationship 
between employees and their bosses, 
employees and their jobs, and employ- 
ees and other employees. 

Lines of communication are open. 
Respect is shown for the ability of the 
employees, and collaboration replaces 
authoritarianism, so people can take 
pride in their contributions to the compa- 
ny. People are treated fairly, in an equi- 
table way, and feel they can "be them- 
selves" among their fellow team 
members. This, according to the insti- 
tute, is what makes a company truly great. 

So it's no surprise that Google 
receives about 1,300 resumes a day from 
young, talented people who want to 
work in that kind of environment, 
according to Fortune. 

I've worked at jobs where I felt that 
co-workers were slacking, or where 
bosses made unreasonable demands and 
failed to listen to what I had to say. I've 
worked at jobs where my immediate 
supervisors took credit for my ideas 
while standing with a figurative foot on 
my neck. I've even had a job where I got 
physically sick every morning just think- 
ing about having to go into that office 
one more day, because the work went 
against my sense of ethics and fairness. 

But, hey, it was close to my house, 
and the pay was great. I 

David Rubinstein is editor-in-chief of 
SD Times. 



BUSINESS BRIEFS 




The Software & Information Industry Association (SUA) is 
preaching corporate responsibility following its collection of more 
than US$1 million from software piracy settlements. Several firms 
recently found in violation of software license agreements must 
delete unlicensed copies, purchase replacement software, agree to 
implement software management policies and undergo future 
compliance audits. SNA states that such punitive measures are 
avoidable if companies — large and small — remain vigilant about 
software management practices and manage their risk. The 
December settlements bring a round of 11 cases to a close. 
Ciberlynx, Petroleum Heat and Power and Preventative Mainte- 
nance Company are among those named in the release. SNA is a 
trade association representing the software and digital content 
industry. Its anti-piracy division proactively counters software and 
content piracy by attempting to strike a balance between law 
enforcement and its education campaign . . . Avaya is seeking to 
extend its communications software product portfolio by acguiring 
Ubiquity Software, a developer of SIP-based product solutions. 
The Ubiguity software platform caters to service providers, sys- 
tems integrators, ISVs and channel partners in the telecommuni- 
cations industry that are on the path toward all-IP networks. 
Essentially, it is coupling together communications technologies 
with business processes and making this type of integration easi- 
er for its customers to achieve. Ubiguity contributes its platform, 
service creation framework and applications. Shareholders must 
accept the tender offer — valued at an estimated US$144 million — 



within 20 days for the acguisition to be complete. The Ubiguity 
board has already given its nod, unanimously recommending the 
proposal . . . Say, "Hello, Moto." In the near future, Motorola will 
extend its services from the shop floor and corner office to the 
cash register and everywhere in between. It has finalized its pur- 
chase of Symbol Technologies; the merger is now a definite agree- 
ment. Symbol's mobility solutions integrate a slew of data capture 
products and RFID systems with mobile platforms. Symbol con- 
tributes 30 years of enterprise experience to Motorola. In its 
entirety, Motorola's platform will secure and manage mobile 
devices like the Motorola or wearable computers from Symbol, 
provide data access, and deploy collaborative tools and applica- 
tions. Those capabilities come as a result of Motorola's recent pur- 
chase of Good Technologies. Symbol president Sal lannuzzi, an 
industry veteran, has been tapped to head Motorola's new enter- 
prise mobility unit. 

EARNINGS: Apple reported that its first-guarter profit soared 78 
percent as consumers bought iPod media players in bundles. The 
company posted a net profit of US$1 billion on record revenue of 
$7.1 billion for the period that ended Dec. 30, which is up from $565 
million a year ago. During the guarter, Apple shipped 1.6 million 
Macintosh computers and 21 million iPods, and sales of the market- 
leading music players accounted for nearly half the total of com- 
pany earnings. Apple's total number of iPod sales now stands at 
about 90 million units since it first went on sale in October 2001. 1 



EVENTS CALENDAR 



RSA Conference 

San Francisco 
RSA SECURITY 

www.rsaconference.com/2007/US 



Feb. 5-9 



SCALE 5x (Southern 
California Linux Expo) 

Los Angeles 

SOCAL LINUX USER GROUPS 

www.socallinuxexpo.org/scale5x 



Feb. 10-11 



SHARE User Events 

Tampa, Fla. 
SHARE 

www.share.org 



Feb. 11-16 



LinuxWorld 
OpenSolutions Summit 

New York 

IDG WORLD EXPO 

www.linuxworldexpo.com/live/14 



Feb. 14-15 



EclipseCon 

Santa Clara 
ECLIPSE FOUNDATION 

www.eclipsecon.org/2007 



March 5-8 



Game Developers 
Conference 

San Francisco 
CMP MEDIA 

www.gdconf.com 



March 5-9 



Developer 
Relations Conference 

San Francisco 
EVANS DATA 

www.evansdata.com/drc 



March 12-13 



BrainShare 

Salt Lake City 
NOVELL 

www.novell.com/brainshare 



March 18-23 



SD West 

Santa Clara 
CMP MEDIA 

www.sdexpo.com 



March 19-23 



VSLive March 25-29 

San Francisco 

FAWCETTE TECHNICAL PUBLICATIONS 

www.ftponline.com/conferences/vslive/2007/sf 



Emerging 
Technology Conference 

Burlingame, Calif. 
O'REILLY MEDIA 

conferences.oreillynet.com/et2007 



March 26-29 



Embedded Systems 
Conference 

San Jose 
CMP MEDIA 

www.embedded.com/esc/sv 



April 1-5 



Web 2.0 Expo 

San Francisco 
O'REILLY MEDIA 

www.web2expo.com 



April 15-18 



Software Security Summit April 16-17 

San Mateo, Calif. 
BZ MEDIA 

www.S-3con.com 

Software Test April 17-19 

& Performance Conference 

San Mateo, Calif. 
BZ MEDIA 

www.stpcon.com 

For a more complete calendar of U.S. software 
development events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to eventsiabzmedia.com. 
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Link up with MapForee* 2(107, 
and exchange data with ease. 

Spied in Map Force 2007: 

• Support for Web services as sources, targets, or 
data processing -Functions in data integration projects 
• arkrts^ced capability for refactonng data mappings 

"ihter integration, with Microsoft'- Visual Studio'" .NET 
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Move MapForce 2007 the award-winning data 
rnfegration and Web services implementation lool K 
makes it easy to exchange data between XML, 
database, flat file, EDI and/or Web services formats 
and to map data to WSDL operations. Simply drag 
connecting lines from data sources to 5argets and drop 
m data-processing functions. Map Force converts data 
Qi>thB-%-cr auto-gene rates program code in XSLT 1,0/2.0 
XQua'ry, Java. C++, or C# tor royalty frae use m your data 
--rth.tog ration and Web services applications. Get wnnectedl 

7 Download MapForce 1 ' 2007 today: www.altoya.oom 
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MapForce is also auaflafoie as T*ar ' of 
the acclaimed Aftova MissremKjt'\ 
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Ship Software OnTime! 

(watch the video of axosoftcomJsdtimes to see how} 



Do You Know Who's Working on What? 
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OnTime 200 

bug kuci&ig * vequ'm: m&nts management • fre/pdesfc 
tor agile, scrum and extreme development teams 



